From 1dfc20f031a3e697f9dcc74d7b63afc15e9ebc59 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Fri, 21 Apr 2017 14:24:59 +0200
Subject: prosodyctl: Verify permissions on directory that certificates are
 written to

---
 prosodyctl | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'prosodyctl')

diff --git a/prosodyctl b/prosodyctl
index 57899607..86e2ccc4 100755
--- a/prosodyctl
+++ b/prosodyctl
@@ -830,6 +830,14 @@ function commands.cert(arg)
 	if #arg >= 1 and arg[1] ~= "--help" then
 		openssl = require "util.openssl";
 		lfs = require "lfs";
+		local cert_dir_attrs = lfs.attributes(cert_basedir);
+		if pposix.getuid() ~= cert_dir_attrs.uid then
+			show_warning("The directory "..cert_basedir.." is not owned by the current user, won't be able to write files to it");
+			return 1;
+		elseif cert_dir_attrs.permissions:match("^%.w..%-..%-.$") then
+			show_warning("The directory "..cert_basedir.." not only writable by its owner");
+			return 1;
+		end
 		local subcmd = table.remove(arg, 1);
 		if type(cert_commands[subcmd]) == "function" then
 			if not arg[1] then
-- 
cgit v1.2.3