aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2016-03-02 22:21:40 +0100
committerGuilhem Moulin <guilhem@fripost.org>2016-03-02 22:21:40 +0100
commita2e7dfe69b9b0470d79a8446ee57c123b802d529 (patch)
tree0959f45024549d72fc1470a3b05f5ebc1a8316b4
parent63633fd91bcc97217f2ac45ba602d752e8fbaafd (diff)
wibble
-rwxr-xr-xletsencrypt4
1 files changed, 2 insertions, 2 deletions
diff --git a/letsencrypt b/letsencrypt
index 23659d5..2b0249c 100755
--- a/letsencrypt
+++ b/letsencrypt
@@ -410,6 +410,8 @@ sub acme_client($@) {
die "connect: $!";
}
+ # use execve(2) rather than a Perl pseudo-process to ensure that the
+ # child doesn't have access to the parent's memory
my @fileno = map { fileno($_) =~ /^(\d+)$/ ? $1 : die } ($CONFFILE, $client); # untaint fileno
spawn({%$args{qw/in out/}, child => sub() {
drop_privileges($conf->{user}, $conf->{group}, $args->{chdir} // '/');
@@ -448,8 +450,6 @@ sub spawn($@) {
} else {
open STDOUT, '>', '/dev/null' or die "Can't open /dev/null: $!";
}
- # use execve(2) rather than a Perl pseudo-process to ensure that
- # the child doesn't have access to the parent's memory
exec { $exec[0] } @exec or die;
}
push @CLEANUP, sub() {