lacme/tests, branch debian/bookworm Small ACME client written with process isolation and minimal privileges in mind tests: Point stretch's archive URL to archive.d.o. 2023-04-25T09:59:39+00:00 Guilhem Moulin guilhem@fripost.org 2023-04-25T09:59:39+00:00 5d9d1ce570c0fa613e1dc2345047a0ff95f781c5 See https://lists.debian.org/msgid-search/87tty79lwo.fsf@43-1.org . 
See https://lists.debian.org/msgid-search/87tty79lwo.fsf@43-1.org .
Adjust test suite against current Let's Encrypt staging environment. 2023-01-25T02:23:45+00:00 Guilhem Moulin guilhem@fripost.org 2023-01-25T02:12:13+00:00 cb0b301e7a62a71d9e4454f9f7af5358c857c48c 






lacme: pass a temporary JSON file with the client configuration to the internal client.
2021-02-25T09:30:22+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-25T00:41:59+00:00

9a8f705eddd18ccc9a24fe0e7efe6b5a87b2be09

So it doesn't have to parse the INI file again.  Also, while lacme.conf
is world-readable by default, one might restrict permissions and add
private information in there, not realizing that everything, including
comments, will be readable by the client.





So it doesn't have to parse the INI file again.  Also, while lacme.conf
is world-readable by default, one might restrict permissions and add
private information in there, not realizing that everything, including
comments, will be readable by the client.







lacme: Add 'owner' resp. 'mode' as (prefered) alias for 'chown' resp. 'chmod'.
2021-02-24T20:32:06+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-24T20:24:13+00:00

c6a4aaa6128d55ba5f7f3cd2bd75f789f69ae407












lacme: Default mode for certificate(-chain) creation is 0644 minus umask restrictions.
2021-02-24T20:32:01+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-24T20:01:12+00:00

c612a7ff44995f4f9c39fa0fb68470d90c88decf

Also, always spawn the client with umask 0022 so a starting lacme(8)
with a restrictive umask doesn't impede serving challenge response
files.





Also, always spawn the client with umask 0022 so a starting lacme(8)
with a restrictive umask doesn't impede serving challenge response
files.







lacme: Don't write certificate(-chain) file on chown/chmod failure.
2021-02-24T20:09:02+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-24T19:03:44+00:00

cdd025133a306cd8d3e81aa832ac056119d65f3a

Otherwise we end up with files with mode 0644 owned by root:root, and
subsequent lacme(8) invocations will likely not renew them for a while.

This change also saves a chown(2) call.  And the new logic (chown resp.
chmod from root:root resp. 0600) is safe if we ever include private key
material in there too.





Otherwise we end up with files with mode 0644 owned by root:root, and
subsequent lacme(8) invocations will likely not renew them for a while.

This change also saves a chown(2) call.  And the new logic (chown resp.
chmod from root:root resp. 0600) is safe if we ever include private key
material in there too.







tests/cert-install: Include tests for failing chown(2).
2021-02-24T12:19:21+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-24T12:19:21+00:00

539e3a8b8a2baf6746716125e99231da14a153a9

Due to unknown user/group name.





Due to unknown user/group name.







tab damage
2021-02-24T12:18:00+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-24T12:18:00+00:00

c96f887e5d8a1625f7dfb76d7f646499aead8eed












typofix
2021-02-24T12:17:43+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-24T12:17:43+00:00

bb3ef24a8d97dd9b0299cf23e4815c57c5ad7fb7












tests/drop-privileges: Ensure failure to drop privileges yields an error.
2021-02-24T12:01:04+00:00

Guilhem Moulin
guilhem@fripost.org

2021-02-24T12:00:32+00:00

83bcf394a15c4c2797353c040f1814c6b03b5db3

And doesn't retain root privileges.





And doesn't retain root privileges.