From 208a6e5fe7255cab1e82c72e7903563dd22bfb5f Mon Sep 17 00:00:00 2001
From: Sage Weil <sage@redhat.com>
Date: Tue, 1 Oct 2019 21:12:23 -0500
Subject: [PATCH] ceph-daemon: be more restrictive with file permissions

Signed-off-by: Sage Weil <sage@redhat.com>
---
 src/ceph-daemon | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/ceph-daemon b/src/ceph-daemon
index e2fb47afed3eb..bfcdff2df03aa 100755
--- a/src/ceph-daemon
+++ b/src/ceph-daemon
@@ -110,13 +110,14 @@ def create_daemon_dirs(fsid, daemon_type, daemon_id, uid, gid,
 
     if config:
         with open(data_dir + '/config', 'w') as f:
-            f.write(config)
             os.fchown(f.fileno(), uid, gid)
+            os.fchmod(f.fileno(), 0o600)
+            f.write(config)
     if keyring:
         with open(data_dir + '/keyring', 'w') as f:
-            f.write(keyring)
             os.fchmod(f.fileno(), 0o600)
             os.fchown(f.fileno(), uid, gid)
+            f.write(keyring)
 
 def get_config_and_keyring():
     if args.config_and_keyring:
@@ -228,6 +229,8 @@ def deploy_daemon(fsid, daemon_type, daemon_id, c, uid, gid,
 
         # write conf
         with open(mon_dir + '/config', 'w') as f:
+            os.fchown(f.fileno(), uid, gid)
+            os.fchmod(f.fileno(), 0o600)
             f.write(config)
     else:
         # dirs, conf, keyring
@@ -543,6 +546,8 @@ def command_bootstrap():
     ).run()
 
     with open(mon_dir + '/config', 'w') as f:
+        os.fchown(f.fileno(), uid, gid)
+        os.fchmod(f.fileno(), 0o600)
         f.write(config)
 
     mon_c = get_container(fsid, 'mon', mon_id)
-- 
2.39.5