Increase file permissions around generate keys Make sure directories created under keys are 0700 and newly generated keys have only read access. Change-Id: I72c599338a744ad7723574564dd4b204b25b4e22 Signed-off-by: Paul Belanger <pabelanger@redhat.com>

commit: a77687de5e4183a4775ca05f620b036ce312cab4 [log] [tgz]
author: Paul Belanger <pabelanger@redhat.com> Sat Apr 29 11:25:44 2017 -0400
committer: Paul Belanger <pabelanger@redhat.com> Wed May 03 11:06:43 2017 -0400
tree: 7f81d867a0776d938044d078273e05a79fbe23fc
parent: a04b079f4c0af89a090234ea25a826bc6b7e89b1 [diff]
diff --git a/zuul/configloader.py b/zuul/configloader.py
index 9ef33ea..9dfc5c2 100644
--- a/zuul/configloader.py
+++ b/zuul/configloader.py

@@ -818,7 +818,7 @@
 
         key_dir = os.path.dirname(project.private_key_file)
         if not os.path.isdir(key_dir):
-            os.makedirs(key_dir)
+            os.makedirs(key_dir, 0o700)
 
         TenantParser.log.info(
             "Generating RSA keypair for project %s" % (project.name,)
@@ -835,6 +835,9 @@
         with open(project.private_key_file, 'wb') as f:
             f.write(pem_private_key)
 
+        # Ensure private key is read/write for zuul user only.
+        os.chmod(project.private_key_file, 0o600)
+
     @staticmethod
     def _loadKeys(project):
         # Check the key files specified are there
commit	a77687de5e4183a4775ca05f620b036ce312cab4	[log] [tgz]
author	Paul Belanger <pabelanger@redhat.com>	Sat Apr 29 11:25:44 2017 -0400
committer	Paul Belanger <pabelanger@redhat.com>	Wed May 03 11:06:43 2017 -0400
tree	7f81d867a0776d938044d078273e05a79fbe23fc
parent	a04b079f4c0af89a090234ea25a826bc6b7e89b1 [diff]