From: Julien Cristau <jcristau@debian.org>
Date: Mon, 2 Oct 2017 12:27:26 +0000 (+0200)
Subject: Make sure onionbalance private keys are group-readable
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=4a5dfea232e9dd56ba533e811e817afb38a827c6;p=mirror%2Fdsa-puppet.git

Make sure onionbalance private keys are group-readable

Seems umask is no longer sufficient and they end up 0600.
---

diff --git a/modules/onion/files/create-onionbalance-config b/modules/onion/files/create-onionbalance-config
index 90e2ed783..5903a7482 100755
--- a/modules/onion/files/create-onionbalance-config
+++ b/modules/onion/files/create-onionbalance-config
@@ -71,7 +71,7 @@ for s in service_instances:
   keyfile = os.path.join(keydir, s+'.key')
   relkeyfile = os.path.join(relkeydir, s+'.key')
   if (not os.path.exists(keyfile)):
-    subprocess.check_call('umask 0027 && openssl genrsa -out %s 1024 && chgrp onionbalance %s'%(keyfile, keyfile), shell=True)
+    subprocess.check_call('umask 0027 && openssl genrsa -out %s 1024 && chgrp onionbalance %s && chmod 0640 %s'%(keyfile, keyfile, keyfile), shell=True)
 
   service = {
     'key': relkeyfile,