From 4a5dfea232e9dd56ba533e811e817afb38a827c6 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Mon, 2 Oct 2017 14:27:26 +0200
Subject: [PATCH 1/1] Make sure onionbalance private keys are group-readable

Seems umask is no longer sufficient and they end up 0600.
---
 modules/onion/files/create-onionbalance-config | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/onion/files/create-onionbalance-config b/modules/onion/files/create-onionbalance-config
index 90e2ed783..5903a7482 100755
--- a/modules/onion/files/create-onionbalance-config
+++ b/modules/onion/files/create-onionbalance-config
@@ -71,7 +71,7 @@ for s in service_instances:
   keyfile = os.path.join(keydir, s+'.key')
   relkeyfile = os.path.join(relkeydir, s+'.key')
   if (not os.path.exists(keyfile)):
-    subprocess.check_call('umask 0027 && openssl genrsa -out %s 1024 && chgrp onionbalance %s'%(keyfile, keyfile), shell=True)
+    subprocess.check_call('umask 0027 && openssl genrsa -out %s 1024 && chgrp onionbalance %s && chmod 0640 %s'%(keyfile, keyfile, keyfile), shell=True)
 
   service = {
     'key': relkeyfile,
-- 
2.20.1