From: Sage Weil <sage@redhat.com>
Date: Wed, 2 Oct 2019 02:12:23 +0000 (-0500)
Subject: ceph-daemon: be more restrictive with file permissions
X-Git-Tag: v15.1.0~1313^2~28
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=208a6e5fe7255cab1e82c72e7903563dd22bfb5f;p=ceph.git

ceph-daemon: be more restrictive with file permissions

Signed-off-by: Sage Weil <sage@redhat.com>
---

diff --git a/src/ceph-daemon b/src/ceph-daemon
index e2fb47afed3e..bfcdff2df03a 100755
--- a/src/ceph-daemon
+++ b/src/ceph-daemon
@@ -110,13 +110,14 @@ def create_daemon_dirs(fsid, daemon_type, daemon_id, uid, gid,
 
     if config:
         with open(data_dir + '/config', 'w') as f:
-            f.write(config)
             os.fchown(f.fileno(), uid, gid)
+            os.fchmod(f.fileno(), 0o600)
+            f.write(config)
     if keyring:
         with open(data_dir + '/keyring', 'w') as f:
-            f.write(keyring)
             os.fchmod(f.fileno(), 0o600)
             os.fchown(f.fileno(), uid, gid)
+            f.write(keyring)
 
 def get_config_and_keyring():
     if args.config_and_keyring:
@@ -228,6 +229,8 @@ def deploy_daemon(fsid, daemon_type, daemon_id, c, uid, gid,
 
         # write conf
         with open(mon_dir + '/config', 'w') as f:
+            os.fchown(f.fileno(), uid, gid)
+            os.fchmod(f.fileno(), 0o600)
             f.write(config)
     else:
         # dirs, conf, keyring
@@ -543,6 +546,8 @@ def command_bootstrap():
     ).run()
 
     with open(mon_dir + '/config', 'w') as f:
+        os.fchown(f.fileno(), uid, gid)
+        os.fchmod(f.fileno(), 0o600)
         f.write(config)
 
     mon_c = get_container(fsid, 'mon', mon_id)