-%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/bat.conf
-%attr(755,root,root) %{_sbindir}/bat
+# Do not make this file world-readable or any user will get full access to the
+# backup system
+%attr(640,root,bacula) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/bat.conf
+%attr(755,root,root) %{_bindir}/bat