aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2021-02-17 23:53:31 +0100
committerGuilhem Moulin <guilhem@fripost.org>2021-02-18 00:53:43 +0100
commitd72df441f86f759bf143df745ff13fd9b90597bf (patch)
tree07cd218d91557200f735d6e3a108a4526437bb47
parent32c27cecbe7ab3bdf0cbc984c50b37fbe231e79d (diff)
Split client/webserver/accountd commands on whitespace.
This doesn't change the default behavior.
-rw-r--r--Changelog2
-rw-r--r--config/lacme.conf6
-rwxr-xr-xlacme25
-rw-r--r--lacme.8.md20
4 files changed, 34 insertions, 19 deletions
diff --git a/Changelog b/Changelog
index 0f9b6ca..68a1f83 100644
--- a/Changelog
+++ b/Changelog
@@ -22,6 +22,8 @@ lacme (0.7.1) upstream;
* Breaking change: lacme(8) resp. lacme-accountd(1) no longer consider
./lacme.conf resp. ./lacme-accountd.conf as default location for the
configuration file.
+ * The client, webserver, and accountd commands are now split on
+ whitespace. This doesn't change the default behavior.
+ Improve nginx/apache2 snippets for direct serving of challenge files
(with the new 'challenge-directory' logic symlinks can be disabled).
+ Split Nginx and Apapche2 static configuration snippets into seperate
diff --git a/config/lacme.conf b/config/lacme.conf
index 4c7dc86..3faed2b 100644
--- a/config/lacme.conf
+++ b/config/lacme.conf
@@ -29,7 +29,7 @@
#
#group = @@lacme_client_group@@
-# Path to the ACME client executable.
+# ACME client command.
#
#command = @@libexecdir@@/lacme/client
@@ -83,7 +83,7 @@
#
#group = @@lacme_www_group@@
-# Path to the ACME webserver executable.
+# ACME webserver command.
#
#command = @@libexecdir@@/lacme/webserver
@@ -110,7 +110,7 @@
#
#group =
-# Path to the lacme-accountd(1) executable.
+# lacme-accountd(1) command.
#
#command = @@bindir@@/lacme-accountd
diff --git a/lacme b/lacme
index d2d8840..019a5e7 100755
--- a/lacme
+++ b/lacme
@@ -379,7 +379,8 @@ sub spawn_webserver() {
$ENV{DEBUG} = $OPTS{debug} // 0;
# use execve(2) rather than a Perl pseudo-process to ensure that
# the child doesn't have access to the parent's memory
- exec $conf->{command}, fileno($sock) or die;
+ my ($cmd, @args) = split(/\s+/, $conf->{command}) or die "Empty webserver command\n";
+ exec { $cmd } $cmd, @args, fileno($sock) or die;
}
print STDERR "[$$] Forking ACME webserver bound to $p, child PID $pid\n" if $OPTS{debug};
@@ -505,12 +506,13 @@ sub acme_client($@) {
drop_privileges($accountd->{user}, $accountd->{group}, '/');
set_FD_CLOEXEC($s, 0);
$client->close() or die "close: $!";
- my @cmd = ($accountd->{command}, '--conn-fd='.fileno($s));
- push @cmd, '--config='.$accountd->{config} if defined $accountd->{config};
- push @cmd, '--privkey='.$accountd->{privkey} if defined $accountd->{privkey};
- push @cmd, '--quiet' unless lc $accountd->{quiet} eq 'no';
- push @cmd, '--debug' if $OPTS{debug};
- exec { $cmd[0] } @cmd or die;
+ my ($cmd, @args) = split(/\s+/, $accountd->{command}) or die "Empty accountd command\n";
+ push @args, '--conn-fd='.fileno($s);
+ push @args, '--config='.$accountd->{config} if defined $accountd->{config};
+ push @args, '--privkey='.$accountd->{privkey} if defined $accountd->{privkey};
+ push @args, '--quiet' unless lc $accountd->{quiet} eq 'no';
+ push @args, '--debug' if $OPTS{debug};
+ exec { $cmd } $cmd, @args or die;
}
print STDERR "[$$] Forking lacme-accountd, child PID $pid\n" if $OPTS{debug};
$s->close() or die "close: $!";
@@ -546,6 +548,7 @@ sub acme_client($@) {
# use execve(2) rather than a Perl pseudo-process to ensure that the
# child doesn't have access to the parent's memory
+ my ($cmd, @args2) = split(/\s+/, $conf->{command}) or die "Empty client command\n";
my @fileno = map { fileno($_) =~ /^(\d+)$/ ? $1 : die } ($CONFFILE, $client); # untaint fileno
set_FD_CLOEXEC($client, 1);
my $rv = spawn({in => $args->{in}, out => $args->{out}, child => sub() {
@@ -553,7 +556,7 @@ sub acme_client($@) {
set_FD_CLOEXEC($_, 0) foreach ($CONFFILE, $client);
seek($CONFFILE, SEEK_SET, 0) or die "seek: $!";
$ENV{DEBUG} = $OPTS{debug} // 0;
- }}, $conf->{command}, $COMMAND, @fileno, @args);
+ }}, $cmd, @args2, $COMMAND, @fileno, @args);
if (defined $cleanup) {
@CLEANUP = grep { $_ ne $cleanup } @CLEANUP;
@@ -564,7 +567,7 @@ sub acme_client($@) {
sub spawn($@) {
my $args = shift;
- my @exec = @_;
+ my ($cmd, @args) = @_;
# create communication pipes if needed
my ($in_rd, $in_wd, $out_rd, $out_wd);
@@ -593,7 +596,7 @@ sub spawn($@) {
} elsif (fileno(STDOUT) != fileno($args->{out})) {
open STDOUT, '>&', $args->{out} or die "dup: $!";
}
- exec { $exec[0] } @exec or die;
+ exec { $cmd } $cmd, @args or die;
}
push @CLEANUP, sub() {
kill 15 => $pid;
@@ -601,7 +604,7 @@ sub spawn($@) {
};
# parent
- print STDERR "[$$] Forking $exec[0], child PID $pid\n" if $OPTS{debug};
+ print STDERR "[$$] Forking $cmd, child PID $pid\n" if $OPTS{debug};
if (defined $args->{in}) {
$in_rd->close() or die "close: $!";
$in_wd->print($args->{in});
diff --git a/lacme.8.md b/lacme.8.md
index bc711ed..69870c4 100644
--- a/lacme.8.md
+++ b/lacme.8.md
@@ -183,7 +183,10 @@ of [ACME] commands and dialogues with the remote [ACME] server).
*command*
-: Path to the [ACME] client executable.
+: The [ACME] client command. It is split on whitespace, with the
+ first item being the command to execute, the second its first
+ argument etc. (Note that `lacme` might append more arguments when
+ executing the command internally.)
Default: `@@libexecdir@@/lacme/client`.
*server*
@@ -262,9 +265,13 @@ served during certificate issuance.
*command*
-: Path to the [ACME] webserver executable. A separate process is
- spawned for each address to *listen* on. (In particular no
- webserver process is forked when the *listen* option is empty.)
+: The [ACME] webserver command. It is split on whitespace, with the
+ first item being the command to execute, the second its first
+ argument etc. (Note that `lacme` might append more arguments when
+ executing the command internally.)
+ A separate process is spawned for each address to *listen* on. (In
+ particular no webserver process is forked when the *listen* option
+ is empty.)
Default: `@@libexecdir@@/lacme/webserver`.
*iptables*
@@ -297,7 +304,10 @@ UNIX-domain socket.
*command*
-: Path to the [`lacme-accountd`(1)] executable.
+: The [`lacme-accountd`(1)] command. It is split on whitespace, with
+ the first item being the command to execute, the second its first
+ argument etc. (Note that `lacme` appends more arguments when
+ executing the command internally.)
Default: `@@bindir@@/lacme-accountd`.
*config*