CA-371790: Restrict the permissions on pool tokens

Signed-off-by: Steven Woods <steven.woods@citrix.com>

ocaml/xapi/helpers.ml

@@ -1951,7 +1951,7 @@ end = struct
     Xapi_globs.pool_secrets := [ps] ;
     Db_globs.pool_secret :=
       ps |> SecretString.rpc_of_t |> Db_secret_string.t_of_rpc ;
-    SecretString.write_to_file !Xapi_globs.pool_secret_path ps ;
+    SecretString.write_to_file ~perms:0o600 !Xapi_globs.pool_secret_path ps ;
     Xapi_psr_util.load_psr_pool_secrets ()
 end
 

ocaml/xapi/xapi_host.ml

@@ -1985,7 +1985,7 @@ let detach_static_vdis ~__context ~host:_ ~vdis =
   List.iter detach vdis
 
 let update_pool_secret ~__context ~host:_ ~pool_secret =
-  SecretString.write_to_file !Xapi_globs.pool_secret_path pool_secret
+  SecretString.write_to_file ~perms:0o600 !Xapi_globs.pool_secret_path pool_secret
 
 let set_localdb_key ~__context ~host:_ ~key ~value =
   Localdb.put key value ;

ocaml/xapi/xapi_psr.ml

@@ -362,8 +362,8 @@ functor
 
     let backup (old_pool_secret, new_pool_secret) =
       Xapi_fist.hang_psr `backup ;
-      SecretString.write_to_file old_pool_secret_backup_path old_pool_secret ;
-      SecretString.write_to_file new_pool_secret_backup_path new_pool_secret
+      SecretString.write_to_file ~perms:0o600 old_pool_secret_backup_path old_pool_secret ;
+      SecretString.write_to_file ~perms:0o600 new_pool_secret_backup_path new_pool_secret
 
     let retrieve = read_backups
 
@@ -411,8 +411,8 @@ let notify_new ~__context ~old_ps ~new_ps =
           )
   | [priority_1_ps] when SecretString.equal priority_1_ps old_ps ->
       if Pool_role.is_slave () then Assert.no_backups () ;
-      SecretString.write_to_file old_pool_secret_backup_path old_ps ;
-      SecretString.write_to_file new_pool_secret_backup_path new_ps ;
+      SecretString.write_to_file ~perms:0o600 old_pool_secret_backup_path old_ps ;
+      SecretString.write_to_file ~perms:0o600 new_pool_secret_backup_path new_ps ;
       Xapi_globs.pool_secrets := [old_ps; new_ps]
   | [_] ->
       raise