client-go: make generating certificate/key permissions more secure (600)

Kubernetes-commit: 5f81c3005f6d3aeb652a0626c3632ff68b036577
2025-06-26 15:12:06 +00:00 · 2023-02-02 14:52:45 +04:00 · 2023-02-02 14:52:45 +04:00 · 03568a1821
commit 03568a1821
parent d0008d188f
4 changed files with 9 additions and 9 deletions
--- a/util/cert/cert.go
+++ b/util/cert/cert.go
@ -188,10 +188,10 @@ func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, a
 	}

 	if len(fixtureDirectory) > 0 {
-		if err := os.WriteFile(certFixturePath, certBuffer.Bytes(), 0644); err != nil {
+		if err := os.WriteFile(certFixturePath, certBuffer.Bytes(), 0600); err != nil {
 			return nil, nil, fmt.Errorf("failed to write cert fixture to %s: %v", certFixturePath, err)
 		}
-		if err := os.WriteFile(keyFixturePath, keyBuffer.Bytes(), 0644); err != nil {
+		if err := os.WriteFile(keyFixturePath, keyBuffer.Bytes(), 0600); err != nil {
 			return nil, nil, fmt.Errorf("failed to write key fixture to %s: %v", certFixturePath, err)
 		}
 	}
--- a/util/cert/io.go
+++ b/util/cert/io.go
@ -58,14 +58,14 @@ func canReadFile(path string) bool {
 }

 // WriteCert writes the pem-encoded certificate data to certPath.
-// The certificate file will be created with file mode 0644.
+// The certificate file will be created with file mode 000.
 // If the certificate file already exists, it will be overwritten.
-// The parent directory of the certPath will be created as needed with file mode 0755.
+// The parent directory of the certPath will be created as needed with file mode 0700.
 func WriteCert(certPath string, data []byte) error {
-	if err := os.MkdirAll(filepath.Dir(certPath), os.FileMode(0755)); err != nil {
+	if err := os.MkdirAll(filepath.Dir(certPath), os.FileMode(0700)); err != nil {
 		return err
 	}
-	return os.WriteFile(certPath, data, os.FileMode(0644))
+	return os.WriteFile(certPath, data, os.FileMode(0600))
 }

 // NewPool returns an x509.CertPool containing the certificates in the given PEM-encoded file.
--- a/util/certificate/certificate_store.go
+++ b/util/certificate/certificate_store.go
@ -188,7 +188,7 @@ func (s *fileStore) Update(certData, keyData []byte) (*tls.Certificate, error) {
 	ts := time.Now().Format("2006-01-02-15-04-05")
 	pemFilename := s.filename(ts)

-	if err := os.MkdirAll(s.certDirectory, 0755); err != nil {
+	if err := os.MkdirAll(s.certDirectory, 0700); err != nil {
 		return nil, fmt.Errorf("could not create directory %q to store certificates: %v", s.certDirectory, err)
 	}
 	certPath := filepath.Join(s.certDirectory, pemFilename)
--- a/util/keyutil/key.go
+++ b/util/keyutil/key.go
@ -63,9 +63,9 @@ func MakeEllipticPrivateKeyPEM() ([]byte, error) {
 // WriteKey writes the pem-encoded key data to keyPath.
 // The key file will be created with file mode 0600.
 // If the key file already exists, it will be overwritten.
-// The parent directory of the keyPath will be created as needed with file mode 0755.
+// The parent directory of the keyPath will be created as needed with file mode 0700.
 func WriteKey(keyPath string, data []byte) error {
-	if err := os.MkdirAll(filepath.Dir(keyPath), os.FileMode(0755)); err != nil {
+	if err := os.MkdirAll(filepath.Dir(keyPath), os.FileMode(0700)); err != nil {
 		return err
 	}
 	return os.WriteFile(keyPath, data, os.FileMode(0600))