From a comment I put right into the code:
Allow the pki dir to be 700 or 750, but nothing else.
This prevents other users from writing out keys, while
allowing the use-case of 3rd-party software (like django)
to read in what it needs to integrate.
If the permissions aren't correct, default to the more secure 700.
This will allow our custom django-based cmdb/virtualization control software to continue working.
I also did a #todo while I was in there - adding logging if we are unable to change the permissions of the pki dir to be safe.
allow the pki dir to have 750 permissions, add logging if unable to s…
…et permissions correctly
Merge branch 'develop' of https://github.com/saltstack/salt into develop