diff options
| -rw-r--r-- | config/lacme.conf | 4 | ||||
| -rwxr-xr-x | lacme | 26 | ||||
| -rw-r--r-- | lacme.8.md | 5 | 
3 files changed, 31 insertions, 4 deletions
| diff --git a/config/lacme.conf b/config/lacme.conf index e49bd39..2955984 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -71,6 +71,10 @@  #  #challenge-directory = +# Do not symlink the challenge-directory, but copy the challenge-files +# explictly. +#hard-copy-challenge-directory = No +  # username to drop privileges to (setting both effective and real uid).  # Skip privilege drop if the value is empty (not recommended).  # @@ -28,6 +28,7 @@ my $NAME = 'lacme';  use Errno 'EINTR';  use Fcntl qw/F_GETFD F_SETFD FD_CLOEXEC SEEK_SET/;  use File::Temp (); +use File::Path 'remove_tree';  use Getopt::Long qw/:config posix_default no_ignore_case gnu_getopt auto_version/;  use List::Util 'first';  use POSIX (); @@ -104,6 +105,7 @@ do {          webserver => {              listen                => '@@runstatedir@@/lacme-www.socket',              'challenge-directory' => undef, +            'hard-copy-challenge-directory' => 'No',              user                  => '@@lacme_www_user@@',              group                 => '@@lacme_www_group@@',              command               => '@@libexecdir@@/lacme/webserver', @@ -289,10 +291,26 @@ sub spawn_webserver() {      # serve ACME challenge reponses).      if (defined (my $dir = $conf->{'challenge-directory'})) {          print STDERR "[$$] Using existing webserver on $dir\n" if $OPTS{debug}; -        symlink $tmpdir, $dir or die "Can't symlink $dir -> $tmpdir: $!"; -        push @CLEANUP, sub() { -            print STDERR "Unlinking $dir\n" if $OPTS{debug}; -            unlink $dir or warn "Warning: Can't unlink $dir: $!"; +        if (lc ($conf->{'hard-copy-challenge-directory'} // 'No') eq 'yes') { +            mkdir $dir or die "Can't create directory $dir: $!"; +            $tmpdir = $dir; +            push @CLEANUP, sub() { +                my $error = undef; +                remove_tree($dir, { safe => 1, error => \$error }); +                if ($error && @$error) { +                    foreach my $e (@$error) { +                        my ($file, $message) = %$e; +                        my $msghead = $file?"Error removing $file in":"Error while removing"; +                        warn "$msghead challenge dir $dir: $message\n"; +                    } +                } +            } +        } else { +            symlink $tmpdir, $dir or die "Can't symlink $dir -> $tmpdir: $!"; +            push @CLEANUP, sub() { +                print STDERR "Unlinking $dir\n" if $OPTS{debug}; +                unlink $dir or warn "Warning: Can't unlink $dir: $!"; +            }          }      }      elsif (!@sockaddr) { @@ -244,6 +244,11 @@ served during certificate issuance.      authorization) as static files.      This option is required when *listen* is empty. +*hard-copy-challenge-directory* + +:   Do not symlink the challenge-directory, but copy the challenge-files +    explictly. +  *user*  :   The username to drop privileges to (setting both effective and real | 
