kv/RocksDBStore: tell rocksdb to set mode to 0600, not 0644

We don't want other users on the system to be able to read the rocksdb
database.

Fixes: https://tracker.ceph.com/issues/42114
Signed-off-by: Sage Weil <sage@redhat.com>
(cherry picked from commit d9a46f9f1e0b14e63ac0b8def7f7ae8a716a833a)

diff --git a/src/kv/RocksDBStore.cc b/src/kv/RocksDBStore.cc
index 39250bb919b260d60b5e7771952c3ff7bf48aa12..8a1c9382abd1f4932c75eb78282896684643141d 100644 (file)
--- a/src/kv/RocksDBStore.cc
+++ b/src/kv/RocksDBStore.cc
@@ -382,6 +382,8 @@ int RocksDBStore::load_rocksdb_options(bool create_if_missing, rocksdb::Options&
     opt.env = static_cast<rocksdb::Env*>(priv);
   }
 
+  opt.env->SetAllowNonOwnerAccess(false);
+
   // caches
   if (!set_cache_flag) {
     cache_size = g_conf()->rocksdb_cache_size;