From cb83ff070ae4a09b9f5861f6fc0d2dd8a3242c7c Mon Sep 17 00:00:00 2001
From: Adam King <adking@redhat.com>
Date: Thu, 6 Jan 2022 07:24:52 -0500
Subject: [PATCH] cephadm: change agent file permissions to 600

Fixes: https://tracker.ceph.com/issues/53541

Signed-off-by: Adam King <adking@redhat.com>
(cherry picked from commit 0f839996df8c7065a982a92df13f9ec16298b541)
---
 src/cephadm/cephadm | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/cephadm/cephadm b/src/cephadm/cephadm
index 5fd99fd4d706..175348ca2a40 100755
--- a/src/cephadm/cephadm
+++ b/src/cephadm/cephadm
@@ -3781,14 +3781,14 @@ class CephadmAgent():
         # Create the required config files in the daemons dir, with restricted permissions
         for filename in config:
             if filename in self.required_files:
-                with open(os.path.join(self.daemon_dir, filename), 'w') as f:
+                with open(os.open(os.path.join(self.daemon_dir, filename), os.O_CREAT | os.O_WRONLY, 0o600), 'w') as f:
                     f.write(config[filename])
 
-        with open(os.path.join(self.daemon_dir, 'unit.run'), 'w') as f:
+        with open(os.open(os.path.join(self.daemon_dir, 'unit.run'), os.O_CREAT | os.O_WRONLY, 0o600), 'w') as f:
             f.write(self.unit_run())
 
         unit_file_path = os.path.join(self.ctx.unit_dir, self.unit_name())
-        with open(unit_file_path + '.new', 'w') as f:
+        with open(os.open(unit_file_path + '.new', os.O_CREAT | os.O_WRONLY, 0o600), 'w') as f:
             f.write(self.unit_file())
             os.rename(unit_file_path + '.new', unit_file_path)
 
-- 
2.47.3