diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2021-02-16 17:24:31 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2021-02-18 00:42:32 +0100 |
commit | 2efd4458f4db7f489ecc81f4039b8e8103edf9d9 (patch) | |
tree | 96c97c31ae1edd6b2b5bc746d1adf4d7eb8fad96 | |
parent | c75bc6c37840b8fc2c57424d24c06a0bfe399de6 (diff) |
Don't load configuration files from ./ by default.
This is a breaking change: lacme(8) resp. lacme-accountd(1) no longer
consider ./lacme.conf resp. ./lacme-accountd.conf as default location
for the configuration file. Doing so has security implications when
running these program from insecure directories.
-rw-r--r-- | Changelog | 3 | ||||
-rwxr-xr-x | lacme | 3 | ||||
-rwxr-xr-x | lacme-accountd | 3 | ||||
-rw-r--r-- | lacme-accountd.1.md | 8 | ||||
-rw-r--r-- | lacme.8.md | 7 |
5 files changed, 12 insertions, 12 deletions
@@ -19,6 +19,9 @@ lacme (0.7.1) upstream; validate provided X.509 chains using that self-contained bundle, regardless of which CAs is marqued as trusted under /etc/ssl/certs. This change bumps the minimum OpenSSL version to 1.1.0. + * Breaking change: lacme(8) resp. lacme-accountd(1) no longer consider + ./lacme.conf resp. ./lacme-accountd.conf as default location for the + configuration file. + Improve nginx/apache2 snippets for direct serving of challenge files (with the new 'challenge-directory' logic symlinks can be disabled). + Add support for TLS Feature extension from RFC 7633; this is mostly @@ -77,8 +77,7 @@ $COMMAND = $COMMAND =~ /\A(account|newOrder|new-cert|revokeCert|revoke-cert)\z/ sub set_FD_CLOEXEC($$); my $CONFFILENAME = $OPTS{config} // first { -f $_ } - ( "./$NAME.conf" - , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/lacme/$NAME.conf" + ( ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config") . "/lacme/$NAME.conf" , "@@sysconfdir@@/lacme/$NAME.conf" ); do { diff --git a/lacme-accountd b/lacme-accountd index d05fb9c..36e9d9f 100755 --- a/lacme-accountd +++ b/lacme-accountd @@ -65,8 +65,7 @@ usage(0) if $OPTS{help}; do { my $conffile = $OPTS{config} // first { -f $_ } - ( "./$NAME.conf" - , ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config")."/lacme/$NAME.conf" + ( ($ENV{XDG_CONFIG_HOME} // "$ENV{HOME}/.config") . "/lacme/$NAME.conf" , "@@sysconfdir@@/lacme/$NAME.conf" ); die "Error: Can't find configuration file\n" unless defined $conffile; diff --git a/lacme-accountd.1.md b/lacme-accountd.1.md index 560cfac..e628476 100644 --- a/lacme-accountd.1.md +++ b/lacme-accountd.1.md @@ -84,10 +84,10 @@ Configuration file ================== If `--config=` is not given, `lacme-accountd` uses the first existing -configuration file among *./lacme-accountd.conf*, -*$XDG_CONFIG_HOME/lacme/lacme-accountd.conf* (or -*~/.config/lacme/lacme-accountd.conf* if the `XDG_CONFIG_HOME` -environment variable is not set), and *@@sysconfdir@@/lacme/lacme-accountd.conf*. +configuration file among *$XDG_CONFIG_HOME/lacme/lacme-accountd.conf* +(or *~/.config/lacme/lacme-accountd.conf* if the `XDG_CONFIG_HOME` +environment variable is not set), and +*@@sysconfdir@@/lacme/lacme-accountd.conf*. When given on the command line, the `--privkey=`, `--socket=` and `--quiet` options take precedence over their counterpart (without @@ -131,10 +131,9 @@ Configuration file ================== If `--config=` is not given, `lacme` uses the first existing -configuration file among *./lacme.conf*, -*$XDG_CONFIG_HOME/lacme/lacme.conf* (or *~/.config/lacme/lacme.conf* if -the `XDG_CONFIG_HOME` environment variable is not set), and -*@@sysconfdir@@/lacme/lacme.conf*. +configuration file among *$XDG_CONFIG_HOME/lacme/lacme.conf* (or +*~/.config/lacme/lacme.conf* if the `XDG_CONFIG_HOME` environment +variable is not set), and *@@sysconfdir@@/lacme/lacme.conf*. Valid options are: Default section |