diff options
| -rw-r--r-- | Changelog | 4 | ||||
| -rwxr-xr-x | client | 3 | ||||
| -rwxr-xr-x | lacme | 1 | ||||
| -rw-r--r-- | lacme.8.md | 3 | ||||
| -rw-r--r-- | tests/cert-install | 45 |
5 files changed, 40 insertions, 16 deletions
@@ -3,6 +3,10 @@ lacme (0.8.1) upstream; + lacme-accountd: improve log messages and refactor logging logic. + lacme-accountd: refuse to sign JWS with an invalid Protected Header. + lacme: don't write certificate(-chain) file on chown/chmod failure. + + lacme: default mode for certificate(-chain) creation is 0644 minus + umask restrictions. Also, always spawn the client with umask 0022 so + a starting lacme(8) with a restrictive umask doesn't impede serving + challenge files. - lacme: in the [accountd] config, let lacme-accountd(1) do the %-expansion for 'config', not lacme(8) when building the command. - lacme-accountd: don't log debug messages unless --debug is set. @@ -338,7 +338,8 @@ elsif ($COMMAND eq 'newOrder') { my $keyAuthorization = $challenge->{token}.'.'.$JWK_thumbprint; # serve $keyAuthorization at http://$domain/.well-known/acme-challenge/$challenge->{token} - if (sysopen(my $fh, $challenge->{token}, O_CREAT|O_EXCL|O_WRONLY, 0644)) { + if (sysopen(my $fh, $challenge->{token}, O_CREAT|O_EXCL|O_WRONLY)) { + # note: the file is created mode 0666 minus umask restrictions $fh->print($keyAuthorization); $fh->close() or die "close: $!"; } elsif ($! == EEXIST) { @@ -581,6 +581,7 @@ sub acme_client($@) { set_FD_CLOEXEC($client, 1); my $rv = spawn({in => $args->{in}, out => $args->{out}, child => sub() { drop_privileges($conf->{user}, $conf->{group}, $args->{chdir} // '/'); + umask(0022) // die; set_FD_CLOEXEC($_, 0) foreach ($CONFFILE, $client); seek($CONFFILE, SEEK_SET, 0) or die "seek: $!"; $ENV{DEBUG} = $OPTS{debug} // 0; @@ -429,7 +429,8 @@ Valid settings are: *chmod* : An optional octal mode to chmod the issued *certificate* and - *certificate-chain* to. + *certificate-chain* to. By default the files are created with mode + 0644 minus umask restrictions. *notify* diff --git a/tests/cert-install b/tests/cert-install index 5d8a239..c49a294 100644 --- a/tests/cert-install +++ b/tests/cert-install @@ -149,40 +149,57 @@ st="$(stat -c "%U:%G %#a" /etc/lacme/test5.pem)" st="$(stat -c "%U:%G %#a" /etc/lacme/test5.crt)" [ "$st" = "nobody:nogroup 0644" ] -# chmod +# umask restrictions (also test empty values) openssl genpkey -algorithm RSA -out /etc/lacme/test6.key cat >"/etc/lacme/lacme-certs.conf.d/test6.conf" <<- EOF [test6] certificate-key = /etc/lacme/test6.key - certificate = /etc/lacme/test6.pem certificate-chain = /etc/lacme/test6.crt - chmod = 0400 + certificate = + chmod = + chown = subject = $subject EOF -lacme newOrder test6 2>"$STDERR" || fail newOrder test6 -st="$(stat -c "%U:%G %#a" /etc/lacme/test6.pem)" -[ "$st" = "root:root 0400" ] +( umask 0077 && lacme newOrder test6 2>"$STDERR" || fail newOrder test6 ) +! test -e /etc/lacme/test6.pem st="$(stat -c "%U:%G %#a" /etc/lacme/test6.crt)" -[ "$st" = "root:root 0400" ] +[ "$st" = "root:root 0600" ] -# post-issuance notification +# chmod openssl genpkey -algorithm RSA -out /etc/lacme/test7.key cat >"/etc/lacme/lacme-certs.conf.d/test7.conf" <<- EOF [test7] certificate-key = /etc/lacme/test7.key + certificate = /etc/lacme/test7.pem certificate-chain = /etc/lacme/test7.crt + chmod = 0400 subject = $subject - notify = touch /tmp/test7.notify EOF lacme newOrder test7 2>"$STDERR" || fail newOrder test7 -grepstderr -Fxq "Running notification command \`touch /tmp/test7.notify\`" -test -e /tmp/test7.notify +st="$(stat -c "%U:%G %#a" /etc/lacme/test7.pem)" +[ "$st" = "root:root 0400" ] +st="$(stat -c "%U:%G %#a" /etc/lacme/test7.crt)" +[ "$st" = "root:root 0400" ] -rm -f /tmp/test7.notify -lacme newOrder test7 2>"$STDERR" || fail newOrder test7 +# post-issuance notification +openssl genpkey -algorithm RSA -out /etc/lacme/test8.key +cat >"/etc/lacme/lacme-certs.conf.d/test8.conf" <<- EOF + [test8] + certificate-key = /etc/lacme/test8.key + certificate-chain = /etc/lacme/test8.crt + subject = $subject + notify = touch /tmp/test8.notify +EOF + +lacme newOrder test8 2>"$STDERR" || fail newOrder test8 +grepstderr -Fxq "Running notification command \`touch /tmp/test8.notify\`" +test -e /tmp/test8.notify + +rm -f /tmp/test8.notify +lacme newOrder test8 2>"$STDERR" || fail newOrder test8 ngrepstderr -Fq "Running notification command" -! test -e /tmp/test7.notify +! test -e /tmp/test8.notify # vim: set filetype=sh : |