From c612a7ff44995f4f9c39fa0fb68470d90c88decf Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 24 Feb 2021 21:01:12 +0100
Subject: lacme: Default mode for certificate(-chain) creation is 0644 minus
 umask restrictions.

Also, always spawn the client with umask 0022 so a starting lacme(8)
with a restrictive umask doesn't impede serving challenge response
files.
---
 client | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'client')

diff --git a/client b/client
index 6438f6a..33189d3 100755
--- a/client
+++ b/client
@@ -338,7 +338,8 @@ elsif ($COMMAND eq 'newOrder') {
         my $keyAuthorization = $challenge->{token}.'.'.$JWK_thumbprint;
 
         # serve $keyAuthorization at http://$domain/.well-known/acme-challenge/$challenge->{token}
-        if (sysopen(my $fh, $challenge->{token}, O_CREAT|O_EXCL|O_WRONLY, 0644)) {
+        if (sysopen(my $fh, $challenge->{token}, O_CREAT|O_EXCL|O_WRONLY)) {
+            # note: the file is created mode 0666 minus umask restrictions
             $fh->print($keyAuthorization);
             $fh->close() or die "close: $!";
         } elsif ($! == EEXIST) {
-- 
cgit v1.2.3