Mask permissions on private key files

When using "nova x509-create-cert", the private key should be written to a file with the permissions 0400, not (world-readable) 0644, in line with how ssh private keys are treated. bug 1112605 Change-Id: I0b20378efba38fa58f4ad9a33cd15b3432ebb8a2 Signed-off-by: Zane Bitter <zbitter@redhat.com>
openstack · Feb 11, 2013 · 0b4590c · 0b4590c
1 parent 1ea7e65
commit 0b4590c
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/novaclient/v1_1/shell.py b/novaclient/v1_1/shell.py
@@ -2149,9 +2149,13 @@ def do_x509_create_cert(cs, args):
 
     certs = cs.certs.create()
 
-    with open(args.pk_filename, 'w') as private_key:
-        private_key.write(certs.private_key)
-        print "Wrote private key to %s" % args.pk_filename
+    try:
+        old_umask = os.umask(0o377)
+        with open(args.pk_filename, 'w') as private_key:
+            private_key.write(certs.private_key)
+            print "Wrote private key to %s" % args.pk_filename
+    finally:
+        os.umask(old_umask)
 
     with open(args.cert_filename, 'w') as cert:
         cert.write(certs.data)