storage: Create database with mode 0600.

sqlite does not allow controlling creation mode, so create the file
ourselves so it gets created when missing.

caucase/storage.py

@@ -44,6 +44,7 @@ class SQLite3Storage(local):
     crt_keep_time=1,
     crt_read_keep_time=0.05, # About 1 hour
     enforce_unique_key_id=False,
+    mode=0o600,
   ):
     """
     db_path (str)
@@ -68,8 +69,16 @@ class SQLite3Storage(local):
       set at least to the certificate life span.
       Useful for backups, to ensure the certificate to revoke can be uniquely
       identified from the key used to decrypt the backup archive.
+    mode (int)
+      Permissions of the main database file upon creation.
     """
     super(SQLite3Storage, self).__init__()
+    # Create database file if it does not exist, so mode can be controlled.
+    os.close(os.open(
+      db_path,
+      os.O_CREAT | os.O_RDONLY,
+      mode,
+    ))
     self._db = db = sqlite3.connect(db_path)
     self._table_prefix = table_prefix
     db.row_factory = sqlite3.Row

caucase/test.py

@@ -1992,5 +1992,15 @@ class CaucaseTest(unittest.TestCase):
     uri, = distribution_point.full_name
     self.assertEqual(uri.value, u'http://[::1]:8000/cas/crl')
 
+  def testServerFilePermissions(self):
+    """
+    Check that both the sqlite database and server keys are group- and
+    other-inaccessible (u=rw,go=).
+    Only check "regular" permissions (3 octal least significant digits).
+    Limitation: Does not try to race against server.
+    """
+    self.assertEqual(os.stat(self._server_db).st_mode & 0o777, 0o600)
+    self.assertEqual(os.stat(self._server_key).st_mode & 0o777, 0o600)
+
 if __name__ == '__main__':
   unittest.main()