From c612a7ff44995f4f9c39fa0fb68470d90c88decf Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 24 Feb 2021 21:01:12 +0100
Subject: lacme: Default mode for certificate(-chain) creation is 0644 minus
 umask restrictions.

Also, always spawn the client with umask 0022 so a starting lacme(8)
with a restrictive umask doesn't impede serving challenge response
files.
---
 lacme | 1 +
 1 file changed, 1 insertion(+)

(limited to 'lacme')

diff --git a/lacme b/lacme
index 2366830..9012890 100755
--- a/lacme
+++ b/lacme
@@ -581,6 +581,7 @@ sub acme_client($@) {
     set_FD_CLOEXEC($client, 1);
     my $rv = spawn({in => $args->{in}, out => $args->{out}, child => sub() {
         drop_privileges($conf->{user}, $conf->{group}, $args->{chdir} // '/');
+        umask(0022) // die;
         set_FD_CLOEXEC($_, 0) foreach ($CONFFILE, $client);
         seek($CONFFILE, SEEK_SET, 0) or die "seek: $!";
         $ENV{DEBUG} = $OPTS{debug} // 0;
-- 
cgit v1.2.3