ceph-daemon: be more restrictive with file permissions

author Sage Weil <sage@redhat.com>

Wed, 2 Oct 2019 02:12:23 +0000 (21:12 -0500)

committer Sage Weil <sage@redhat.com>

Sat, 5 Oct 2019 01:33:35 +0000 (20:33 -0500)
author Sage Weil <sage@redhat.com>
Wed, 2 Oct 2019 02:12:23 +0000 (21:12 -0500)
committer Sage Weil <sage@redhat.com>
Sat, 5 Oct 2019 01:33:35 +0000 (20:33 -0500)
diff --git a/src/ceph-daemon b/src/ceph-daemon

index e2fb47afed3ebd607fefcc34e0c978c9ead5c54e..bfcdff2df03aad361ce3f46e77d674c7a3ae13a0 100755 (executable)
--- a/src/ceph-daemon
+++ b/src/ceph-daemon
@@ -110,13 +110,14 @@ def create_daemon_dirs(fsid, daemon_type, daemon_id, uid, gid,
  
      if config:
          with open(data_dir + '/config', 'w') as f:
-            f.write(config)
              os.fchown(f.fileno(), uid, gid)
+            os.fchmod(f.fileno(), 0o600)
+            f.write(config)
      if keyring:
          with open(data_dir + '/keyring', 'w') as f:
-            f.write(keyring)
              os.fchmod(f.fileno(), 0o600)
              os.fchown(f.fileno(), uid, gid)
+            f.write(keyring)
  
  def get_config_and_keyring():
      if args.config_and_keyring:
@@ -228,6 +229,8 @@ def deploy_daemon(fsid, daemon_type, daemon_id, c, uid, gid,
  
          # write conf
          with open(mon_dir + '/config', 'w') as f:
+            os.fchown(f.fileno(), uid, gid)
+            os.fchmod(f.fileno(), 0o600)
              f.write(config)
      else:
          # dirs, conf, keyring
@@ -543,6 +546,8 @@ def command_bootstrap():
      ).run()
  
      with open(mon_dir + '/config', 'w') as f:
+        os.fchown(f.fileno(), uid, gid)
+        os.fchmod(f.fileno(), 0o600)
          f.write(config)
  
      mon_c = get_container(fsid, 'mon', mon_id)
author	Sage Weil <sage@redhat.com>
	Wed, 2 Oct 2019 02:12:23 +0000 (21:12 -0500)
committer	Sage Weil <sage@redhat.com>
	Sat, 5 Oct 2019 01:33:35 +0000 (20:33 -0500)