From f0ba65e09e79ad409541838f6b50d0f6c0432d00 Mon Sep 17 00:00:00 2001
From: Colin Cross <letsencrypt@colincross.com>
Date: Fri, 4 Dec 2015 10:29:14 -0800
Subject: [PATCH] Set permissions of all four key files to 0600

Set the permissions of cert.pem, privkey.pem, chain.pem and
fullchain.pem to 0600, read-write only by root.

Fixes #1473
---
 letsencrypt/storage.py | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/letsencrypt/storage.py b/letsencrypt/storage.py
index 7e2802b146a..c5b4b09d3a3 100644
--- a/letsencrypt/storage.py
+++ b/letsencrypt/storage.py
@@ -644,17 +644,16 @@ def new_lineage(cls, lineagename, cert, privkey, chain,
         for kind in ALL_FOUR:
             os.symlink(os.path.join(relative_archive, kind + "1.pem"),
                        target[kind])
-        with open(target["cert"], "w") as f:
+        with le_util.safe_open(target["cert"], "w", chmod=0o600) as f:
             logger.debug("Writing certificate to %s.", target["cert"])
             f.write(cert)
-        with open(target["privkey"], "w") as f:
+        with le_util.safe_open(target["privkey"], "w", chmod=0o600) as f:
             logger.debug("Writing private key to %s.", target["privkey"])
             f.write(privkey)
-            # XXX: Let's make sure to get the file permissions right here
-        with open(target["chain"], "w") as f:
+        with le_util.safe_open(target["chain"], "w", chmod=0o600) as f:
             logger.debug("Writing chain to %s.", target["chain"])
             f.write(chain)
-        with open(target["fullchain"], "w") as f:
+        with le_util.safe_open(target["fullchain"], "w", chmod=0o600) as f:
             # assumes that OpenSSL.crypto.dump_certificate includes
             # ending newline character
             logger.debug("Writing full chain to %s.", target["fullchain"])
@@ -726,18 +725,18 @@ def save_successor(self, prior_version, new_cert, new_privkey, new_chain):
             logger.debug("Writing symlink to old private key, %s.", old_privkey)
             os.symlink(old_privkey, target["privkey"])
         else:
-            with open(target["privkey"], "w") as f:
+            with le_util.safe_open(target["privkey"], "w", chmod=0o600) as f:
                 logger.debug("Writing new private key to %s.", target["privkey"])
                 f.write(new_privkey)
 
         # Save everything else
-        with open(target["cert"], "w") as f:
+        with le_util.safe_open(target["cert"], "w", chmod=0o600) as f:
             logger.debug("Writing certificate to %s.", target["cert"])
             f.write(new_cert)
-        with open(target["chain"], "w") as f:
+        with le_util.safe_open(target["chain"], "w", chmod=0o600) as f:
             logger.debug("Writing chain to %s.", target["chain"])
             f.write(new_chain)
-        with open(target["fullchain"], "w") as f:
+        with le_util.safe_open(target["fullchain"], "w", chmod=0o600) as f:
             logger.debug("Writing full chain to %s.", target["fullchain"])
             f.write(new_cert + new_chain)
         return target_version