diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2021-02-17 23:53:31 +0100 | 
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2021-02-18 00:53:43 +0100 | 
| commit | d72df441f86f759bf143df745ff13fd9b90597bf (patch) | |
| tree | 07cd218d91557200f735d6e3a108a4526437bb47 | |
| parent | 32c27cecbe7ab3bdf0cbc984c50b37fbe231e79d (diff) | |
Split client/webserver/accountd commands on whitespace.
This doesn't change the default behavior.
| -rw-r--r-- | Changelog | 2 | ||||
| -rw-r--r-- | config/lacme.conf | 6 | ||||
| -rwxr-xr-x | lacme | 25 | ||||
| -rw-r--r-- | lacme.8.md | 20 | 
4 files changed, 34 insertions, 19 deletions
| @@ -22,6 +22,8 @@ lacme (0.7.1) upstream;   * Breaking change: lacme(8) resp. lacme-accountd(1) no longer consider     ./lacme.conf resp. ./lacme-accountd.conf as default location for the     configuration file. + * The client, webserver, and accountd commands are now split on +   whitespace.  This doesn't change the default behavior.   + Improve nginx/apache2 snippets for direct serving of challenge files     (with the new 'challenge-directory' logic symlinks can be disabled).   + Split Nginx and Apapche2 static configuration snippets into seperate diff --git a/config/lacme.conf b/config/lacme.conf index 4c7dc86..3faed2b 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -29,7 +29,7 @@  #  #group = @@lacme_client_group@@ -# Path to the ACME client executable. +# ACME client command.  #  #command = @@libexecdir@@/lacme/client @@ -83,7 +83,7 @@  #  #group = @@lacme_www_group@@ -# Path to the ACME webserver executable. +# ACME webserver command.  #  #command = @@libexecdir@@/lacme/webserver @@ -110,7 +110,7 @@  #  #group = -# Path to the lacme-accountd(1) executable. +# lacme-accountd(1) command.  #  #command = @@bindir@@/lacme-accountd @@ -379,7 +379,8 @@ sub spawn_webserver() {              $ENV{DEBUG} = $OPTS{debug} // 0;              # use execve(2) rather than a Perl pseudo-process to ensure that              # the child doesn't have access to the parent's memory -            exec $conf->{command}, fileno($sock) or die; +            my ($cmd, @args) = split(/\s+/, $conf->{command}) or die "Empty webserver command\n"; +            exec { $cmd } $cmd, @args, fileno($sock) or die;          }          print STDERR "[$$] Forking ACME webserver bound to $p, child PID $pid\n" if $OPTS{debug}; @@ -505,12 +506,13 @@ sub acme_client($@) {              drop_privileges($accountd->{user}, $accountd->{group}, '/');              set_FD_CLOEXEC($s, 0);              $client->close() or die "close: $!"; -            my @cmd = ($accountd->{command}, '--conn-fd='.fileno($s)); -            push @cmd, '--config='.$accountd->{config}   if defined $accountd->{config}; -            push @cmd, '--privkey='.$accountd->{privkey} if defined $accountd->{privkey}; -            push @cmd, '--quiet' unless lc $accountd->{quiet} eq 'no'; -            push @cmd, '--debug' if $OPTS{debug}; -            exec { $cmd[0] } @cmd or die; +            my ($cmd, @args) = split(/\s+/, $accountd->{command}) or die "Empty accountd command\n"; +            push @args, '--conn-fd='.fileno($s); +            push @args, '--config='.$accountd->{config}   if defined $accountd->{config}; +            push @args, '--privkey='.$accountd->{privkey} if defined $accountd->{privkey}; +            push @args, '--quiet' unless lc $accountd->{quiet} eq 'no'; +            push @args, '--debug' if $OPTS{debug}; +            exec { $cmd } $cmd, @args or die;          }          print STDERR "[$$] Forking lacme-accountd, child PID $pid\n" if $OPTS{debug};          $s->close() or die "close: $!"; @@ -546,6 +548,7 @@ sub acme_client($@) {      # use execve(2) rather than a Perl pseudo-process to ensure that the      # child doesn't have access to the parent's memory +    my ($cmd, @args2) = split(/\s+/, $conf->{command}) or die "Empty client command\n";      my @fileno = map { fileno($_) =~ /^(\d+)$/ ? $1 : die } ($CONFFILE, $client); # untaint fileno      set_FD_CLOEXEC($client, 1);      my $rv = spawn({in => $args->{in}, out => $args->{out}, child => sub() { @@ -553,7 +556,7 @@ sub acme_client($@) {          set_FD_CLOEXEC($_, 0) foreach ($CONFFILE, $client);          seek($CONFFILE, SEEK_SET, 0) or die "seek: $!";          $ENV{DEBUG} = $OPTS{debug} // 0; -    }}, $conf->{command}, $COMMAND, @fileno, @args); +    }}, $cmd, @args2, $COMMAND, @fileno, @args);      if (defined $cleanup) {          @CLEANUP = grep { $_ ne $cleanup } @CLEANUP; @@ -564,7 +567,7 @@ sub acme_client($@) {  sub spawn($@) {      my $args = shift; -    my @exec = @_; +    my ($cmd, @args) = @_;      # create communication pipes if needed      my ($in_rd, $in_wd, $out_rd, $out_wd); @@ -593,7 +596,7 @@ sub spawn($@) {          } elsif (fileno(STDOUT) != fileno($args->{out})) {              open STDOUT, '>&', $args->{out} or die "dup: $!";          } -        exec { $exec[0] } @exec or die; +        exec { $cmd } $cmd, @args or die;      }      push @CLEANUP, sub() {          kill 15 => $pid; @@ -601,7 +604,7 @@ sub spawn($@) {      };      # parent -    print STDERR "[$$] Forking $exec[0], child PID $pid\n" if $OPTS{debug}; +    print STDERR "[$$] Forking $cmd, child PID $pid\n" if $OPTS{debug};      if (defined $args->{in}) {          $in_rd->close() or die "close: $!";          $in_wd->print($args->{in}); @@ -183,7 +183,10 @@ of [ACME] commands and dialogues with the remote [ACME] server).  *command* -:   Path to the [ACME] client executable. +:   The [ACME] client command.  It is split on whitespace, with the +    first item being the command to execute, the second its first +    argument etc.  (Note that `lacme` might append more arguments when +    executing the command internally.)      Default: `@@libexecdir@@/lacme/client`.  *server* @@ -262,9 +265,13 @@ served during certificate issuance.  *command* -:   Path to the [ACME] webserver executable.  A separate process is -    spawned for each address to *listen* on.  (In particular no -    webserver process is forked when the *listen* option is empty.) +:   The [ACME] webserver command.  It is split on whitespace, with the +    first item being the command to execute, the second its first +    argument etc.  (Note that `lacme` might append more arguments when +    executing the command internally.) +    A separate process is spawned for each address to *listen* on.  (In +    particular no webserver process is forked when the *listen* option +    is empty.)      Default: `@@libexecdir@@/lacme/webserver`.  *iptables* @@ -297,7 +304,10 @@ UNIX-domain socket.  *command* -:   Path to the [`lacme-accountd`(1)] executable. +:   The [`lacme-accountd`(1)] command.  It is split on whitespace, with +    the first item being the command to execute, the second its first +    argument etc.  (Note that `lacme` appends more arguments when +    executing the command internally.)      Default: `@@bindir@@/lacme-accountd`.  *config* | 
