From fddec92b8ea39515ff19be1117fcacb32944ab72 Mon Sep 17 00:00:00 2001
From: Scott Moser <smoser@ubuntu.com>
Date: Fri, 29 Jan 2010 13:05:06 -0500
Subject: tighten permissions on cloud-config and user-data to protect it

---
 ec2init/__init__.py | 8 +++-----
 ec2init/util.py     | 2 +-
 2 files changed, 4 insertions(+), 6 deletions(-)

(limited to 'ec2init')

diff --git a/ec2init/__init__.py b/ec2init/__init__.py
index 918b9280..76aa34f0 100644
--- a/ec2init/__init__.py
+++ b/ec2init/__init__.py
@@ -147,8 +147,8 @@ class EC2Init:
         self.store_userdata()
 
     def store_userdata(self):
-        util.write_file(userdata_raw, self.datasource.get_userdata_raw(), 0644)
-        util.write_file(userdata, self.datasource.get_userdata(), 0644)
+        util.write_file(userdata_raw, self.datasource.get_userdata_raw(), 0600)
+        util.write_file(userdata, self.datasource.get_userdata(), 0600)
 
     def initctl_emit(self):
         subprocess.Popen(['initctl', 'emit', 'cloud-config',
@@ -283,9 +283,7 @@ class EC2Init:
             self.cloud_config_str=""
             return
         if ctype == "__end__":
-            f=open(cloud_config, "wb")
-            f.write(self.cloud_config_str)
-            f.close()
+            util.write_file(cloud_config, self.cloud_config_str, 0600)
 
             ## this could merge the cloud config with the system config
             ## for now, not doing this as it seems somewhat circular
diff --git a/ec2init/util.py b/ec2init/util.py
index 403832ff..30ce1d82 100644
--- a/ec2init/util.py
+++ b/ec2init/util.py
@@ -40,9 +40,9 @@ def write_file(file,content,mode=0644):
                 raise e
 
         f=open(file,"wb")
+        os.chmod(file,mode)
         f.write(content)
         f.close()
-        os.chmod(file,mode)
 
 # get keyid from keyserver
 def getkeybyid(keyid,keyserver):
-- 
cgit v1.2.3