Increase file permissions around generate keys
Make sure directories created under keys are 0700 and newly generated
keys have only read access.
Change-Id: I72c599338a744ad7723574564dd4b204b25b4e22
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
diff --git a/zuul/configloader.py b/zuul/configloader.py
index 9ef33ea..9dfc5c2 100644
--- a/zuul/configloader.py
+++ b/zuul/configloader.py
@@ -818,7 +818,7 @@
key_dir = os.path.dirname(project.private_key_file)
if not os.path.isdir(key_dir):
- os.makedirs(key_dir)
+ os.makedirs(key_dir, 0o700)
TenantParser.log.info(
"Generating RSA keypair for project %s" % (project.name,)
@@ -835,6 +835,9 @@
with open(project.private_key_file, 'wb') as f:
f.write(pem_private_key)
+ # Ensure private key is read/write for zuul user only.
+ os.chmod(project.private_key_file, 0o600)
+
@staticmethod
def _loadKeys(project):
# Check the key files specified are there