Permalink
Browse files

Mask permissions on private key files

When using "nova x509-create-cert", the private key should be written to
a file with the permissions 0400, not (world-readable) 0644, in line
with how ssh private keys are treated.

bug 1112605

Change-Id: I0b20378efba38fa58f4ad9a33cd15b3432ebb8a2
Signed-off-by: Zane Bitter <zbitter@redhat.com>
  • Loading branch information...
zaneb committed Feb 1, 2013
1 parent 1ea7e65 commit 0b4590cb2438b4ec1fd8842d7ae3f2627059cabc
Showing with 7 additions and 3 deletions.
  1. +7 −3 novaclient/v1_1/shell.py
View
@@ -2149,9 +2149,13 @@ def do_x509_create_cert(cs, args):
certs = cs.certs.create()
- with open(args.pk_filename, 'w') as private_key:
- private_key.write(certs.private_key)
- print "Wrote private key to %s" % args.pk_filename
+ try:
+ old_umask = os.umask(0o377)
+ with open(args.pk_filename, 'w') as private_key:
+ private_key.write(certs.private_key)
+ print "Wrote private key to %s" % args.pk_filename
+ finally:
+ os.umask(old_umask)
with open(args.cert_filename, 'w') as cert:
cert.write(certs.data)

0 comments on commit 0b4590c

Please sign in to comment.