From cd3447d04cabf6745001afeef69f25a92400cd0e Mon Sep 17 00:00:00 2001 From: Loic Dachary Date: Thu, 4 Dec 2014 22:21:32 +0100 Subject: [PATCH] ceph-disk: dmcrypt file permissions The directory in which key files are stored for dmcrypt must be 700 and the file 600. http://tracker.ceph.com/issues/9785 Fixes: #9785 Signed-off-by: Loic Dachary (cherry picked from commit 58682d1776ab1fd4daddd887d921ca9cc312bf50) --- src/ceph-disk | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/ceph-disk b/src/ceph-disk index 2eabb82d80394..6bd02201bd8b7 100755 --- a/src/ceph-disk +++ b/src/ceph-disk @@ -791,11 +791,13 @@ def get_or_create_dmcrypt_key( # make a new key try: if not os.path.exists(key_dir): - os.makedirs(key_dir) + os.makedirs(key_dir, stat.S_IRUSR|stat.S_IWUSR|stat.S_IXUSR) with file('/dev/urandom', 'rb') as i: key = i.read(256) - with file(path, 'wb') as key_file: - key_file.write(key) + fd = os.open(path, os.O_WRONLY|os.O_CREAT, + stat.S_IRUSR|stat.S_IWUSR) + assert os.write(fd, key) == len(key) + os.close(fd) return path except: raise Error('unable to read or create dm-crypt key', path) -- 2.39.5