Certs: Create directories with execute permissions so they can be ope…

…ned (#395) * Create directories with execute permissions so they can be opened * Use 0700 permissions on certificate directories instead of 0755
StackExchange · Aug 27, 2018 · 402fc44 · 402fc44
1 parent e680fb9
commit 402fc44
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 3 deletions.
diff --git a/pkg/acme/acme.go b/pkg/acme/acme.go
@@ -77,7 +77,7 @@ func (c *certManager) IssueOrRenewCert(cfg *CertConfig, renewUnder int, verbose
 	}
 
 	log.Printf("Checking certificate [%s]", cfg.CertName)
-	if err := os.MkdirAll(filepath.Dir(c.certFile(cfg.CertName, "json")), perms); err != nil {
+	if err := os.MkdirAll(filepath.Dir(c.certFile(cfg.CertName, "json")), dirPerms); err != nil {
 		return false, err
 	}
 	existing, err := c.readCertificate(cfg.CertName)

diff --git a/pkg/acme/registration.go b/pkg/acme/registration.go
@@ -61,10 +61,12 @@ func (c *certManager) accountKeyFile() string {
 	return filepath.Join(c.accountDirectory(), "account.key")
 }
 
-const perms os.FileMode = 0644 // TODO: probably lock this down more
+// TODO: probably lock these down more
+const perms os.FileMode = 0644
+const dirPerms os.FileMode = 0700
 
 func (c *certManager) createAccount() error {
-	if err := os.MkdirAll(c.accountDirectory(), perms); err != nil {
+	if err := os.MkdirAll(c.accountDirectory(), dirPerms); err != nil {
 		return err
 	}
 	privateKey, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)