Merge "Increase file permissions around generate keys" into feature/zuulv3
diff --git a/zuul/configloader.py b/zuul/configloader.py
index 3438815..42a9b01 100644
--- a/zuul/configloader.py
+++ b/zuul/configloader.py
@@ -903,7 +903,7 @@
key_dir = os.path.dirname(project.private_key_file)
if not os.path.isdir(key_dir):
- os.makedirs(key_dir)
+ os.makedirs(key_dir, 0o700)
TenantParser.log.info(
"Generating RSA keypair for project %s" % (project.name,)
@@ -920,6 +920,9 @@
with open(project.private_key_file, 'wb') as f:
f.write(pem_private_key)
+ # Ensure private key is read/write for zuul user only.
+ os.chmod(project.private_key_file, 0o600)
+
@staticmethod
def _loadKeys(project):
# Check the key files specified are there