Merge "Increase file permissions around generate keys" into feature/zuulv3

commit: 08ec3bade972c9ab4ac1224aace5668ec07795ff [log] [tgz]
author: Jenkins <jenkins@review.openstack.org> Wed Jun 07 12:38:02 2017 +0000
committer: Gerrit Code Review <review@openstack.org> Wed Jun 07 12:38:02 2017 +0000
tree: b56b98017d8600e24d81bd52d01d093052f2a5c5
parent: 4551cb744dceeb9135beb55ab0c6132dd1627c48 [diff]
parent: a77687de5e4183a4775ca05f620b036ce312cab4 [diff]
diff --git a/zuul/configloader.py b/zuul/configloader.py
index 3438815..42a9b01 100644
--- a/zuul/configloader.py
+++ b/zuul/configloader.py

@@ -903,7 +903,7 @@
 
         key_dir = os.path.dirname(project.private_key_file)
         if not os.path.isdir(key_dir):
-            os.makedirs(key_dir)
+            os.makedirs(key_dir, 0o700)
 
         TenantParser.log.info(
             "Generating RSA keypair for project %s" % (project.name,)
@@ -920,6 +920,9 @@
         with open(project.private_key_file, 'wb') as f:
             f.write(pem_private_key)
 
+        # Ensure private key is read/write for zuul user only.
+        os.chmod(project.private_key_file, 0o600)
+
     @staticmethod
     def _loadKeys(project):
         # Check the key files specified are there
commit	08ec3bade972c9ab4ac1224aace5668ec07795ff	[log] [tgz]
author	Jenkins <jenkins@review.openstack.org>	Wed Jun 07 12:38:02 2017 +0000
committer	Gerrit Code Review <review@openstack.org>	Wed Jun 07 12:38:02 2017 +0000
tree	b56b98017d8600e24d81bd52d01d093052f2a5c5
parent	4551cb744dceeb9135beb55ab0c6132dd1627c48 [diff]
parent	a77687de5e4183a4775ca05f620b036ce312cab4 [diff]