lacme: Default mode for certificate(-chain) creation is 0644 minus umask restrictions.

Also, always spawn the client with umask 0022 so a starting lacme(8)
with a restrictive umask doesn't impede serving challenge response
files.

5 files changed, 40 insertions, 16 deletions

diff --git a/Changelog b/Changelog
index 2a027f1..f7f11f6 100644
--- a/Changelog
+++ b/Changelog
@@ -3,6 +3,10 @@ lacme (0.8.1) upstream;
  + lacme-accountd: improve log messages and refactor logging logic.
  + lacme-accountd: refuse to sign JWS with an invalid Protected Header.
  + lacme: don't write certificate(-chain) file on chown/chmod failure.
+ + lacme: default mode for certificate(-chain) creation is 0644 minus
+   umask restrictions.  Also, always spawn the client with umask 0022 so
+   a starting lacme(8) with a restrictive umask doesn't impede serving
+   challenge files.
  - lacme: in the [accountd] config, let lacme-accountd(1) do the
    %-expansion for 'config', not lacme(8) when building the command.
  - lacme-accountd: don't log debug messages unless --debug is set.
diff --git a/client b/client
index 6438f6a..33189d3 100755
--- a/client
+++ b/client
@@ -338,7 +338,8 @@ elsif ($COMMAND eq 'newOrder') {
         my $keyAuthorization = $challenge->{token}.'.'.$JWK_thumbprint;
 
         # serve $keyAuthorization at http://$domain/.well-known/acme-challenge/$challenge->{token}
-        if (sysopen(my $fh, $challenge->{token}, O_CREAT|O_EXCL|O_WRONLY, 0644)) {
+        if (sysopen(my $fh, $challenge->{token}, O_CREAT|O_EXCL|O_WRONLY)) {
+            # note: the file is created mode 0666 minus umask restrictions
             $fh->print($keyAuthorization);
             $fh->close() or die "close: $!";
         } elsif ($! == EEXIST) {
diff --git a/lacme b/lacme
index 2366830..9012890 100755
--- a/lacme
+++ b/lacme
@@ -581,6 +581,7 @@ sub acme_client($@) {
     set_FD_CLOEXEC($client, 1);
     my $rv = spawn({in => $args->{in}, out => $args->{out}, child => sub() {
         drop_privileges($conf->{user}, $conf->{group}, $args->{chdir} // '/');
+        umask(0022) // die;
         set_FD_CLOEXEC($_, 0) foreach ($CONFFILE, $client);
         seek($CONFFILE, SEEK_SET, 0) or die "seek: $!";
         $ENV{DEBUG} = $OPTS{debug} // 0;
diff --git a/lacme.8.md b/lacme.8.md
index c39f51c..7f6558e 100644
--- a/lacme.8.md
+++ b/lacme.8.md
@@ -429,7 +429,8 @@ Valid settings are:
 *chmod*
 
 :   An optional octal mode to chmod the issued *certificate* and
-    *certificate-chain* to.
+    *certificate-chain* to.  By default the files are created with mode
+    0644 minus umask restrictions.
 
 *notify*
 
diff --git a/tests/cert-install b/tests/cert-install
index 5d8a239..c49a294 100644
--- a/tests/cert-install
+++ b/tests/cert-install
@@ -149,40 +149,57 @@ st="$(stat -c "%U:%G %#a" /etc/lacme/test5.pem)"
 st="$(stat -c "%U:%G %#a" /etc/lacme/test5.crt)"
 [ "$st" = "nobody:nogroup 0644" ]
 
-# chmod
+# umask restrictions (also test empty values)
 openssl genpkey -algorithm RSA -out /etc/lacme/test6.key
 cat >"/etc/lacme/lacme-certs.conf.d/test6.conf" <<- EOF
 	[test6]
 	certificate-key = /etc/lacme/test6.key
-	certificate = /etc/lacme/test6.pem
 	certificate-chain = /etc/lacme/test6.crt
-	chmod = 0400
+	certificate =
+	chmod =
+	chown =
 	subject = $subject
 EOF
 
-lacme newOrder test6 2>"$STDERR" || fail newOrder test6
-st="$(stat -c "%U:%G %#a" /etc/lacme/test6.pem)"
-[ "$st" = "root:root 0400" ]
+( umask 0077 && lacme newOrder test6 2>"$STDERR" || fail newOrder test6 )
+! test -e /etc/lacme/test6.pem
 st="$(stat -c "%U:%G %#a" /etc/lacme/test6.crt)"
-[ "$st" = "root:root 0400" ]
+[ "$st" = "root:root 0600" ]
 
-# post-issuance notification
+# chmod
 openssl genpkey -algorithm RSA -out /etc/lacme/test7.key
 cat >"/etc/lacme/lacme-certs.conf.d/test7.conf" <<- EOF
 	[test7]
 	certificate-key = /etc/lacme/test7.key
+	certificate = /etc/lacme/test7.pem
 	certificate-chain = /etc/lacme/test7.crt
+	chmod = 0400
 	subject = $subject
-	notify = touch /tmp/test7.notify
 EOF
 
 lacme newOrder test7 2>"$STDERR" || fail newOrder test7
-grepstderr -Fxq "Running notification command \`touch /tmp/test7.notify\`"
-test -e /tmp/test7.notify
+st="$(stat -c "%U:%G %#a" /etc/lacme/test7.pem)"
+[ "$st" = "root:root 0400" ]
+st="$(stat -c "%U:%G %#a" /etc/lacme/test7.crt)"
+[ "$st" = "root:root 0400" ]
 
-rm -f /tmp/test7.notify
-lacme newOrder test7 2>"$STDERR" || fail newOrder test7
+# post-issuance notification
+openssl genpkey -algorithm RSA -out /etc/lacme/test8.key
+cat >"/etc/lacme/lacme-certs.conf.d/test8.conf" <<- EOF
+	[test8]
+	certificate-key = /etc/lacme/test8.key
+	certificate-chain = /etc/lacme/test8.crt
+	subject = $subject
+	notify = touch /tmp/test8.notify
+EOF
+
+lacme newOrder test8 2>"$STDERR" || fail newOrder test8
+grepstderr -Fxq "Running notification command \`touch /tmp/test8.notify\`"
+test -e /tmp/test8.notify
+
+rm -f /tmp/test8.notify
+lacme newOrder test8 2>"$STDERR" || fail newOrder test8
 ngrepstderr -Fq "Running notification command"
-! test -e /tmp/test7.notify
+! test -e /tmp/test8.notify
 
 # vim: set filetype=sh :