From: Paul Cuzner <pcuzner@redhat.com>
Date: Wed, 2 Dec 2020 23:21:30 +0000 (+1300)
Subject: cephadm: apply more restrictive permissions on TLS files
X-Git-Tag: v16.1.0~349^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=1afc9d0fe8941279a252ab3c83a051b9981e9d4b;p=ceph.git

cephadm: apply more restrictive permissions on TLS files

Changes permissions from 640 to 600 on the crt/key and
token files

Signed-off-by: Paul Cuzner <pcuzner@redhat.com>
---

diff --git a/src/cephadm/cephadm b/src/cephadm/cephadm
index 46a62d5b9d96..e46286d9901f 100755
--- a/src/cephadm/cephadm
+++ b/src/cephadm/cephadm
@@ -6131,7 +6131,7 @@ WantedBy=ceph-{fsid}.target
 
         # Create the required config files in the daemons dir, with restricted permissions
         for filename in config:
-            with open(os.open(os.path.join(self.daemon_path, filename), os.O_CREAT | os.O_WRONLY, mode=0o640), "w") as f:
+            with open(os.open(os.path.join(self.daemon_path, filename), os.O_CREAT | os.O_WRONLY, mode=0o600), "w") as f:
                 f.write(config[filename])
 
         # When __file__ is <stdin> we're being invoked over remoto via the orchestrator, so