Change permissions on SSL keys to 640

This tightens up the security on the SSL keys stored in /etc/apache2/ssl/<service> to be no longer world readable. This is a backport from master: cherry-pick: 6470d6dd2c Change-Id: I5c6349d421f9ee0627dc95797291a466dee7fe37 Related-Bug: #1761305
2018-04-05 19:19:54 +00:00
parent 49dffb7000
commit 463fe64097
2 changed files with 4 additions and 4 deletions
--- a/charmhelpers/contrib/openstack/context.py
+++ b/charmhelpers/contrib/openstack/context.py
@@ -796,9 +796,9 @@ class ApacheSSLContext(OSContextGenerator):
            key_filename = 'key'

        write_file(path=os.path.join(ssl_dir, cert_filename),
-                   content=b64decode(cert))
+                   content=b64decode(cert), perms=0o640)
        write_file(path=os.path.join(ssl_dir, key_filename),
-                   content=b64decode(key))
+                   content=b64decode(key), perms=0o640)

    def configure_ca(self):
        ca_cert = get_ca_cert()
--- a/hooks/keystone_context.py
+++ b/hooks/keystone_context.py
@@ -94,10 +94,10 @@ class SSLContext(context.ApacheSSLContext):

        write_file(path=os.path.join(self.ssl_dir, 'cert_{}'.format(cn)),
                   content=cert, owner=SSH_USER, group=KEYSTONE_USER,
-                   perms=0o644)
+                   perms=0o640)
        write_file(path=os.path.join(self.ssl_dir, 'key_{}'.format(cn)),
                   content=key, owner=SSH_USER, group=KEYSTONE_USER,
-                   perms=0o644)
+                   perms=0o640)

    def configure_ca(self):
        from keystone_utils import (