# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1492777499 -7200
# Node ID 83d776b344ad638250eab74603fc9eadf62b0496
# Parent  86ec9045d095fa9edf27475a9dd945c5a356efbd
prosodyctl: Verify permissions on directory that certificates are written to

diff -r 86ec9045d095 -r 83d776b344ad prosodyctl
--- a/prosodyctl	Fri Apr 21 14:20:46 2017 +0200
+++ b/prosodyctl	Fri Apr 21 14:24:59 2017 +0200
@@ -830,6 +830,14 @@
 	if #arg >= 1 and arg[1] ~= "--help" then
 		openssl = require "util.openssl";
 		lfs = require "lfs";
+		local cert_dir_attrs = lfs.attributes(cert_basedir);
+		if pposix.getuid() ~= cert_dir_attrs.uid then
+			show_warning("The directory "..cert_basedir.." is not owned by the current user, won't be able to write files to it");
+			return 1;
+		elseif cert_dir_attrs.permissions:match("^%.w..%-..%-.$") then
+			show_warning("The directory "..cert_basedir.." not only writable by its owner");
+			return 1;
+		end
 		local subcmd = table.remove(arg, 1);
 		if type(cert_commands[subcmd]) == "function" then
 			if not arg[1] then