pki: make certificates only readable to group and others

even though we copy these to hosts it's not a good idea to allow them to be overwritten by a random user.
oVirt · Jul 26, 2022 · 2f8b462 · 2f8b462
1 parent 2261502
commit 2f8b462
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/packaging/bin/pki-enroll-request.sh b/packaging/bin/pki-enroll-request.sh
@@ -22,6 +22,7 @@ sign() {
 		[ -e "${CERT_CONF}" ] || die "${CERT_CONF} is missing, Cannot sign certificate"
 		EXTRA_COMMAND="-extfile ${CERT_CONF} -extensions ${extsection}"
 	fi
+	umask 0022
 	OVIRT_KU="${ovirt_ku}" OVIRT_EKU="${ovirt_eku}" OVIRT_SAN="${ovirt_san}" \
 		openssl ca \
 		-batch \