aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2017-06-28 21:26:00 +0200
committerGuilhem Moulin <guilhem@fripost.org>2017-06-28 22:09:50 +0200
commit80c3a95a95ed268905fa87a398748f94628eed44 (patch)
treef56329c73dd0bb97cd3b182d7c250edf1a911284
parent944407621f313c15f6cfd53267da1ddbdaceec9f (diff)
new-cert: use File::Temp for the temporary cert filename.
This ensures we aren't overwritting existing /path/to/srv.pem.new files.
-rwxr-xr-xlacme19
1 files changed, 13 insertions, 6 deletions
diff --git a/lacme b/lacme
index b4d09e8..fd90d1e 100755
--- a/lacme
+++ b/lacme
@@ -604,14 +604,19 @@ sub spawn($@) {
#############################################################################
# Install the certificate
#
-sub install_cert($$@) {
+sub install_cert($$;$) {
my $filename = shift;
my $x509 = shift;
- my @chain = @_;
+ my @chain = grep !/\A\s*\z/, @_; # ignore empty CAfile
+
+ my ($dirname, $basename) =
+ $filename =~ /\A(.*)\/([^\/]+)\z/ ? ($1, $2) : ('.', $filename);
+ my $fh = File::Temp::->new(UNLINK => 0, DIR => $dirname,
+ TEMPLATE => "$basename.XXXXXX") // die;
- my $tmp = "$filename.new";
- open my $fh, '>', $tmp or die "Can't open $tmp: $!";
eval {
+ my $umask = umask() // die "umask: $!";
+ chmod(0644 &~ $umask, $fh) or die "chmod: $!";
$fh->print($x509) or die "Can't print: $!";
foreach (@chain) { # append the chain
open my $fh2, '<', $_ or die "Can't open $_: $!";
@@ -621,11 +626,13 @@ sub install_cert($$@) {
}
$fh->close() or die "Can't close: $!";
};
+ my $path = $fh->filename();
if ($@) {
- unlink $tmp or warn "Can't unlink $tmp: $!";
+ print STDERR "Unlinking $path\n" if $OPTS{debug};
+ unlink $path or warn "Can't unlink $path: $!";
die $@;
}
- rename($tmp, $filename) or die "Can't rename $tmp to $filename: $!";
+ rename($path, $filename) or die "Can't rename $path to $filename: $!";
}