Compressed etcd snapshots are world-readable

[tchatain]

Environmental Info:
K3s Version:
k3s version v1.34.1+k3s1 (24fc436)
go version go1.24.6

Node(s) CPU architecture, OS, and Version:
Linux gimli 6.12.61-flatcar #1 SMP PREEMPT_DYNAMIC Fri Dec 12 15:21:28 -00 2025 x86_64 AMD Ryzen 9 9900X 12-Core Processor AuthenticAMD GNU/Linux

Cluster Configuration:
Single-node cluster

Describe the bug:
I recently added etcd-snapshot-compress: true to my config.yaml file. As a result, the etcd snapshots are now compressed, but the file permissions on them are very permissive.
Compressed snapshots: 0644
Older, uncompressed snapshots: 0600

Steps To Reproduce:

• Run k3s etcd-snapshot save --etcd-snapshot-compress=true
• Run k3s etcd-snapshot save --etcd-snapshot-compress=false
• Compare the difference with ls -alh /var/lib/rancher/k3s/server/db/snapshots

Expected behavior:
The uncompressed permissions of 0600 seem like a strong default. Compressed snapshots should use that as well.

Actual behavior:
Compressed snapshots are world-readable

Additional context / logs:

[brandond]

The directory they are placed in by default should not be world readable, so the default file permissions should not present a security issue. More of just a consistency nit.