From 80c3a95a95ed268905fa87a398748f94628eed44 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 28 Jun 2017 21:26:00 +0200 Subject: new-cert: use File::Temp for the temporary cert filename. This ensures we aren't overwritting existing /path/to/srv.pem.new files. --- lacme | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/lacme b/lacme index b4d09e8..fd90d1e 100755 --- a/lacme +++ b/lacme @@ -604,14 +604,19 @@ sub spawn($@) { ############################################################################# # Install the certificate # -sub install_cert($$@) { +sub install_cert($$;$) { my $filename = shift; my $x509 = shift; - my @chain = @_; + my @chain = grep !/\A\s*\z/, @_; # ignore empty CAfile + + my ($dirname, $basename) = + $filename =~ /\A(.*)\/([^\/]+)\z/ ? ($1, $2) : ('.', $filename); + my $fh = File::Temp::->new(UNLINK => 0, DIR => $dirname, + TEMPLATE => "$basename.XXXXXX") // die; - my $tmp = "$filename.new"; - open my $fh, '>', $tmp or die "Can't open $tmp: $!"; eval { + my $umask = umask() // die "umask: $!"; + chmod(0644 &~ $umask, $fh) or die "chmod: $!"; $fh->print($x509) or die "Can't print: $!"; foreach (@chain) { # append the chain open my $fh2, '<', $_ or die "Can't open $_: $!"; @@ -621,11 +626,13 @@ sub install_cert($$@) { } $fh->close() or die "Can't close: $!"; }; + my $path = $fh->filename(); if ($@) { - unlink $tmp or warn "Can't unlink $tmp: $!"; + print STDERR "Unlinking $path\n" if $OPTS{debug}; + unlink $path or warn "Can't unlink $path: $!"; die $@; } - rename($tmp, $filename) or die "Can't rename $tmp to $filename: $!"; + rename($path, $filename) or die "Can't rename $path to $filename: $!"; } -- cgit v1.2.3