diff --git a/htdocs/install/etape1.php b/htdocs/install/etape1.php
index 419852f01b4540317fd23aaa3e7271fbafbd95ee..97ea932e78aeb983114a22faff08af880a7c3b72 100644
--- a/htdocs/install/etape1.php
+++ b/htdocs/install/etape1.php
@@ -208,7 +208,9 @@ if ($_POST["action"] == "set")
 		// Save old conf file on disk
 		if (file_exists("$conffile"))
 		{
-			@dol_copy($conffile, $conffile.'.old');	// We must ignore errors as an existing old file may alreday exists and not be replacable
+			// We must ignore errors as an existing old file may alreday exists and not be replacable
+			// Also no other process must be able to read file or we expose the new file so content with password.
+			@dol_copy($conffile, $conffile.'.old', '0400');
 		}
 
 		$error+=write_conf_file($conffile);
diff --git a/htdocs/lib/files.lib.php b/htdocs/lib/files.lib.php
index 6be72cdf00d9dc3f721e0d693edb7bf232698692..caa7e9f7c1f226b54554cab70327e02fff5240b8 100644
--- a/htdocs/lib/files.lib.php
+++ b/htdocs/lib/files.lib.php
@@ -304,11 +304,17 @@ function dol_is_file($pathoffile)
 
 /**
  * Copy a file to another file
+ * @param	$srcfile	Source file
+ * @param	$destfile	Destination file
+ * @param	$newmask	Mask for new file
  * @return	boolean		True if OK, false if KO
  */
-function dol_copy($srcfile, $destfile)
+function dol_copy($srcfile, $destfile, $newmask)
 {
-	return @copy($srcfile, $destfile);
+	dol_syslog("files.lib.php::dol_copy srcfile=".$srcfile." destfile=".$destfile." newmask=".$newmask);
+	$result=@copy($srcfile, $destfile);
+	@chmod($file, octdec($newmask));	// File must not be readable by any others
+	return $result;
 }
 
 ?>