Set permissions of all four key files to 0600

Set the permissions of cert.pem, privkey.pem, chain.pem and fullchain.pem to 0600, read-write only by root. Fixes certbot#1473
colincross · Dec 4, 2015 · f0ba65e · f0ba65e
1 parent f2a83e9
commit f0ba65e
Showing 1 changed file with 8 additions and 9 deletions.
diff --git a/letsencrypt/storage.py b/letsencrypt/storage.py
@@ -644,17 +644,16 @@ def new_lineage(cls, lineagename, cert, privkey, chain,
  for kind in ALL_FOUR:
  os.symlink(os.path.join(relative_archive, kind + "1.pem"),
  target[kind])
- with open(target["cert"], "w") as f:
+ with le_util.safe_open(target["cert"], "w", chmod=0o600) as f:
  logger.debug("Writing certificate to %s.", target["cert"])
  f.write(cert)
- with open(target["privkey"], "w") as f:
+ with le_util.safe_open(target["privkey"], "w", chmod=0o600) as f:
  logger.debug("Writing private key to %s.", target["privkey"])
  f.write(privkey)
- # XXX: Let's make sure to get the file permissions right here
- with open(target["chain"], "w") as f:
+ with le_util.safe_open(target["chain"], "w", chmod=0o600) as f:
  logger.debug("Writing chain to %s.", target["chain"])
  f.write(chain)
- with open(target["fullchain"], "w") as f:
+ with le_util.safe_open(target["fullchain"], "w", chmod=0o600) as f:
  # assumes that OpenSSL.crypto.dump_certificate includes
  # ending newline character
  logger.debug("Writing full chain to %s.", target["fullchain"])
@@ -726,18 +725,18 @@ def save_successor(self, prior_version, new_cert, new_privkey, new_chain):
  logger.debug("Writing symlink to old private key, %s.", old_privkey)
  os.symlink(old_privkey, target["privkey"])
  else:
- with open(target["privkey"], "w") as f:
+ with le_util.safe_open(target["privkey"], "w", chmod=0o600) as f:
  logger.debug("Writing new private key to %s.", target["privkey"])
  f.write(new_privkey)
 
  # Save everything else
- with open(target["cert"], "w") as f:
+ with le_util.safe_open(target["cert"], "w", chmod=0o600) as f:
  logger.debug("Writing certificate to %s.", target["cert"])
  f.write(new_cert)
- with open(target["chain"], "w") as f:
+ with le_util.safe_open(target["chain"], "w", chmod=0o600) as f:
  logger.debug("Writing chain to %s.", target["chain"])
  f.write(new_chain)
- with open(target["fullchain"], "w") as f:
+ with le_util.safe_open(target["fullchain"], "w", chmod=0o600) as f:
  logger.debug("Writing full chain to %s.", target["fullchain"])
  f.write(new_cert + new_chain)
  return target_version