From 883b40b5b0ecfc5f78758143c0d3c754458f12b7 Mon Sep 17 00:00:00 2001 From: lujie Date: Fri, 19 Jan 2024 21:23:04 +0800 Subject: [PATCH] Move the chmod function before the write and flush functions to prevent sensitive information leakage. Closes-Bug: #2047690 Change-Id: I2b88a14cc67a4fba35fcfc187a91771e1d714844 (cherry picked from commit cb71d19382eef6bea273075a3287a952c40f8a3b) (cherry picked from commit 272fd686d8c8bf5954e9e7d3bc991ff27e46184d) --- magnum/conductor/handlers/common/cert_manager.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/magnum/conductor/handlers/common/cert_manager.py b/magnum/conductor/handlers/common/cert_manager.py index 180c0b9025..286639e3cd 100755 --- a/magnum/conductor/handlers/common/cert_manager.py +++ b/magnum/conductor/handlers/common/cert_manager.py @@ -189,23 +189,22 @@ def create_client_files(cluster, context=None): magnum_cert = get_cluster_magnum_cert(cluster, context) ca_file = open(cached_ca_file, "w+") + os.chmod(cached_ca_file, 0o600) ca_file.write(encodeutils.safe_decode(ca_cert.get_certificate())) ca_file.flush() key_file = open(cached_key_file, "w+") + os.chmod(cached_key_file, 0o600) key_file.write(encodeutils.safe_decode( magnum_cert.get_decrypted_private_key())) key_file.flush() cert_file = open(cached_cert_file, "w+") + os.chmod(cached_cert_file, 0o600) cert_file.write( encodeutils.safe_decode(magnum_cert.get_certificate())) cert_file.flush() - os.chmod(cached_ca_file, 0o600) - os.chmod(cached_key_file, 0o600) - os.chmod(cached_cert_file, 0o600) - else: ca_file = open(cached_ca_file, "r") key_file = open(cached_key_file, "r")