From: Adam King <adking@redhat.com>
Date: Thu, 6 Jan 2022 12:24:52 +0000 (-0500)
Subject: cephadm: change agent file permissions to 600
X-Git-Tag: v17.1.0~31^2~19
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=cb83ff070ae4a09b9f5861f6fc0d2dd8a3242c7c;p=ceph.git

cephadm: change agent file permissions to 600

Fixes: https://tracker.ceph.com/issues/53541

Signed-off-by: Adam King <adking@redhat.com>
(cherry picked from commit 0f839996df8c7065a982a92df13f9ec16298b541)
---

diff --git a/src/cephadm/cephadm b/src/cephadm/cephadm
index 5fd99fd4d706..175348ca2a40 100755
--- a/src/cephadm/cephadm
+++ b/src/cephadm/cephadm
@@ -3781,14 +3781,14 @@ class CephadmAgent():
         # Create the required config files in the daemons dir, with restricted permissions
         for filename in config:
             if filename in self.required_files:
-                with open(os.path.join(self.daemon_dir, filename), 'w') as f:
+                with open(os.open(os.path.join(self.daemon_dir, filename), os.O_CREAT | os.O_WRONLY, 0o600), 'w') as f:
                     f.write(config[filename])
 
-        with open(os.path.join(self.daemon_dir, 'unit.run'), 'w') as f:
+        with open(os.open(os.path.join(self.daemon_dir, 'unit.run'), os.O_CREAT | os.O_WRONLY, 0o600), 'w') as f:
             f.write(self.unit_run())
 
         unit_file_path = os.path.join(self.ctx.unit_dir, self.unit_name())
-        with open(unit_file_path + '.new', 'w') as f:
+        with open(os.open(unit_file_path + '.new', os.O_CREAT | os.O_WRONLY, 0o600), 'w') as f:
             f.write(self.unit_file())
             os.rename(unit_file_path + '.new', unit_file_path)