Change permissions on SSL keys to 640

This tightens up the security on the SSL keys stored in /etc/apache2/ssl/<service> to be no longer world readable. Change-Id: I0951deff4ec95b1fc7f4389dc083c8957f8db6f0 Closes-Bug: #1761305
2018-04-05 19:19:54 +00:00 · 2018-04-05 19:19:54 +00:00 · 6470d6dd2c
parent 92f5248a07
commit 6470d6dd2c
2 changed files with 4 additions and 4 deletions
--- a/charmhelpers/contrib/openstack/context.py
+++ b/charmhelpers/contrib/openstack/context.py
@ -797,9 +797,9 @@ class ApacheSSLContext(OSContextGenerator):
            key_filename = 'key'

        write_file(path=os.path.join(ssl_dir, cert_filename),
-                   content=b64decode(cert))
+                   content=b64decode(cert), perms=0o640)
        write_file(path=os.path.join(ssl_dir, key_filename),
-                   content=b64decode(key))
+                   content=b64decode(key), perms=0o640)

    def configure_ca(self):
        ca_cert = get_ca_cert()
--- a/hooks/keystone_context.py
+++ b/hooks/keystone_context.py
@ -94,10 +94,10 @@ class SSLContext(context.ApacheSSLContext):

        write_file(path=os.path.join(self.ssl_dir, 'cert_{}'.format(cn)),
                   content=cert, owner=SSH_USER, group=KEYSTONE_USER,
-                   perms=0o644)
+                   perms=0o640)
        write_file(path=os.path.join(self.ssl_dir, 'key_{}'.format(cn)),
                   content=key, owner=SSH_USER, group=KEYSTONE_USER,
-                   perms=0o644)
+                   perms=0o640)

    def configure_ca(self):
        from keystone_utils import (