From 1dfc20f031a3e697f9dcc74d7b63afc15e9ebc59 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 21 Apr 2017 14:24:59 +0200 Subject: prosodyctl: Verify permissions on directory that certificates are written to --- prosodyctl | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/prosodyctl b/prosodyctl index 57899607..86e2ccc4 100755 --- a/prosodyctl +++ b/prosodyctl @@ -830,6 +830,14 @@ function commands.cert(arg) if #arg >= 1 and arg[1] ~= "--help" then openssl = require "util.openssl"; lfs = require "lfs"; + local cert_dir_attrs = lfs.attributes(cert_basedir); + if pposix.getuid() ~= cert_dir_attrs.uid then + show_warning("The directory "..cert_basedir.." is not owned by the current user, won't be able to write files to it"); + return 1; + elseif cert_dir_attrs.permissions:match("^%.w..%-..%-.$") then + show_warning("The directory "..cert_basedir.." not only writable by its owner"); + return 1; + end local subcmd = table.remove(arg, 1); if type(cert_commands[subcmd]) == "function" then if not arg[1] then -- cgit v1.2.3