diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2017-06-28 21:26:00 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2017-06-28 22:09:50 +0200 |
| commit | 80c3a95a95ed268905fa87a398748f94628eed44 (patch) | |
| tree | f56329c73dd0bb97cd3b182d7c250edf1a911284 | |
| parent | 944407621f313c15f6cfd53267da1ddbdaceec9f (diff) | |
new-cert: use File::Temp for the temporary cert filename.
This ensures we aren't overwritting existing /path/to/srv.pem.new files.
| -rwxr-xr-x | lacme | 19 |
1 files changed, 13 insertions, 6 deletions
@@ -604,14 +604,19 @@ sub spawn($@) { ############################################################################# # Install the certificate # -sub install_cert($$@) { +sub install_cert($$;$) { my $filename = shift; my $x509 = shift; - my @chain = @_; + my @chain = grep !/\A\s*\z/, @_; # ignore empty CAfile + + my ($dirname, $basename) = + $filename =~ /\A(.*)\/([^\/]+)\z/ ? ($1, $2) : ('.', $filename); + my $fh = File::Temp::->new(UNLINK => 0, DIR => $dirname, + TEMPLATE => "$basename.XXXXXX") // die; - my $tmp = "$filename.new"; - open my $fh, '>', $tmp or die "Can't open $tmp: $!"; eval { + my $umask = umask() // die "umask: $!"; + chmod(0644 &~ $umask, $fh) or die "chmod: $!"; $fh->print($x509) or die "Can't print: $!"; foreach (@chain) { # append the chain open my $fh2, '<', $_ or die "Can't open $_: $!"; @@ -621,11 +626,13 @@ sub install_cert($$@) { } $fh->close() or die "Can't close: $!"; }; + my $path = $fh->filename(); if ($@) { - unlink $tmp or warn "Can't unlink $tmp: $!"; + print STDERR "Unlinking $path\n" if $OPTS{debug}; + unlink $path or warn "Can't unlink $path: $!"; die $@; } - rename($tmp, $filename) or die "Can't rename $tmp to $filename: $!"; + rename($path, $filename) or die "Can't rename $path to $filename: $!"; } |