From: Julien Cristau Date: Mon, 2 Oct 2017 12:48:50 +0000 (+0200) Subject: don't spawn a shell in create-onionbalance-config X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=460fb6af622912542f253eb9bd348957d62c9f0f;p=mirror%2Fdsa-puppet.git don't spawn a shell in create-onionbalance-config python can do these things. --- diff --git a/modules/onion/files/create-onionbalance-config b/modules/onion/files/create-onionbalance-config index 5903a7482..4df5e7095 100755 --- a/modules/onion/files/create-onionbalance-config +++ b/modules/onion/files/create-onionbalance-config @@ -42,7 +42,9 @@ # FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR # OTHER DEALINGS IN THE SOFTWARE. +import os import os.path +import shutil import subprocess import yaml @@ -52,7 +54,8 @@ outfile = '/etc/onionbalance/config.yaml' relkeydir = 'private_keys' keydir = os.path.join('/etc/onionbalance', relkeydir) -data = yaml.safe_load(open(j)) +with open(j) as conf: + data = yaml.safe_load(conf) service_instances = {} for entry in data: @@ -70,8 +73,11 @@ services = [] for s in service_instances: keyfile = os.path.join(keydir, s+'.key') relkeyfile = os.path.join(relkeydir, s+'.key') - if (not os.path.exists(keyfile)): - subprocess.check_call('umask 0027 && openssl genrsa -out %s 1024 && chgrp onionbalance %s && chmod 0640 %s'%(keyfile, keyfile, keyfile), shell=True) + if not os.path.exists(keyfile): + subprocess.check_call(['openssl', 'genrsa', '-out', keyfile, '1024'], + preexec_fn=lambda: os.umask(0027)) + shutil.chown(keyfile, group='onionbalance') + os.chmod(keyfile, 0o640) service = { 'key': relkeyfile,