diff options
author | Kyle Evans <kevans@FreeBSD.org> | 2020-05-14 03:25:12 +0000 |
---|---|---|
committer | Kyle Evans <kevans@FreeBSD.org> | 2020-05-14 03:25:12 +0000 |
commit | bb33c910776d908cd459d19959beefffed85d514 (patch) | |
tree | 1ca8b7c9abc722f8e04909f02ba8eb5a39d8baf0 /usr.sbin | |
parent | b21ae0ff6fa29d05edf12744ac8c4ec5fc8562bc (diff) | |
download | src-bb33c910776d908cd459d19959beefffed85d514.tar.gz src-bb33c910776d908cd459d19959beefffed85d514.zip |
certctl(8): don't completely nuke $CERTDESTDIR
It's been reported/noted that a well-timed `certctl rehash` will completely
obliterate $CERTDESTDIR, which may get used by ports or system
administrators. While we can't guarantee the certctl semantics when other
non-certctl-controlled bits live here, we should make some amount of effort
to play nice.
Pruning all existing links, which we'll subsequently rebuild as needed, is
sufficient for our needs. This can still be destructive, but it's perhaps
less likely to cause issues.
I also note that we should probably be pruning /etc/ssl/blacklisted upon
rehash as well.
Reported by: cem's dovecot server
MFC after: 3 days
Notes
Notes:
svn path=/head/; revision=361022
Diffstat (limited to 'usr.sbin')
-rwxr-xr-x | usr.sbin/certctl/certctl.sh | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/usr.sbin/certctl/certctl.sh b/usr.sbin/certctl/certctl.sh index b46d3371db16..8212305ac67c 100755 --- a/usr.sbin/certctl/certctl.sh +++ b/usr.sbin/certctl/certctl.sh @@ -142,9 +142,11 @@ do_list() cmd_rehash() { - [ $NOOP -eq 0 ] && rm -rf "$CERTDESTDIR" - [ $NOOP -eq 0 ] && mkdir -p "$CERTDESTDIR" - [ $NOOP -eq 0 ] && mkdir -p "$BLACKLISTDESTDIR" + if [ $NOOP -eq 0 ]; then + [ -e "$CERTDESTDIR" ] && find "$CERTDESTDIR" -type link -delete + mkdir -p "$CERTDESTDIR" + mkdir -p "$BLACKLISTDESTDIR" + fi do_scan create_blacklisted "$BLACKLISTPATH" do_scan create_trusted_link "$TRUSTPATH" |