From 1afc9d0fe8941279a252ab3c83a051b9981e9d4b Mon Sep 17 00:00:00 2001
From: Paul Cuzner <pcuzner@redhat.com>
Date: Thu, 3 Dec 2020 12:21:30 +1300
Subject: [PATCH] cephadm: apply more restrictive permissions on TLS files

Changes permissions from 640 to 600 on the crt/key and
token files

Signed-off-by: Paul Cuzner <pcuzner@redhat.com>
---
 src/cephadm/cephadm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/cephadm/cephadm b/src/cephadm/cephadm
index 46a62d5b9d96..e46286d9901f 100755
--- a/src/cephadm/cephadm
+++ b/src/cephadm/cephadm
@@ -6131,7 +6131,7 @@ WantedBy=ceph-{fsid}.target
 
         # Create the required config files in the daemons dir, with restricted permissions
         for filename in config:
-            with open(os.open(os.path.join(self.daemon_path, filename), os.O_CREAT | os.O_WRONLY, mode=0o640), "w") as f:
+            with open(os.open(os.path.join(self.daemon_path, filename), os.O_CREAT | os.O_WRONLY, mode=0o600), "w") as f:
                 f.write(config[filename])
 
         # When __file__ is <stdin> we're being invoked over remoto via the orchestrator, so
-- 
2.47.3