Merge pull request #7742 from osirisinferi/force-non-restrictive-umask

Force non restrictive umask when creating challenge directory in Apache plugin
2026-01-26 07:41:33 +03:00 · 2020-02-26 17:09:20 -08:00
parent 4ea98d830b 9819443440
commit f169c37153
3 changed files with 18 additions and 1 deletions
--- a/certbot-apache/certbot_apache/_internal/http_01.py
+++ b/certbot-apache/certbot_apache/_internal/http_01.py
@@ -1,5 +1,6 @@
 """A class that performs HTTP-01 challenges for Apache"""
 import logging
+import errno

 from acme.magic_typing import List
 from acme.magic_typing import Set
@@ -168,7 +169,15 @@ class ApacheHttp01(common.ChallengePerformer):

    def _set_up_challenges(self):
        if not os.path.isdir(self.challenge_dir):
-            filesystem.makedirs(self.challenge_dir, 0o755)
+            old_umask = os.umask(0o022)
+            try:
+                filesystem.makedirs(self.challenge_dir, 0o755)
+            except OSError as exception:
+                if exception.errno not in (errno.EEXIST, errno.EISDIR):
+                    raise errors.PluginError(
+                        "Couldn't create root for http-01 challenge")
+            finally:
+                os.umask(old_umask)

        responses = []
        for achall in self.achalls:
--- a/certbot-apache/tests/http_01_test.py
+++ b/certbot-apache/tests/http_01_test.py
@@ -1,5 +1,6 @@
 """Test for certbot_apache._internal.http_01."""
 import unittest
+import errno

 import mock

@@ -197,6 +198,12 @@ class ApacheHttp01Test(util.ApacheTest):

        self.assertTrue(os.path.exists(challenge_dir))

+    @mock.patch("certbot_apache._internal.http_01.filesystem.makedirs")
+    def test_failed_makedirs(self, mock_makedirs):
+        mock_makedirs.side_effect = OSError(errno.EACCES, "msg")
+        self.http.add_chall(self.achalls[0])
+        self.assertRaises(errors.PluginError, self.http.perform)
+
    def _test_challenge_conf(self):
        with open(self.http.challenge_conf_pre) as f:
            pre_conf_contents = f.read()
--- a/certbot/CHANGELOG.md
+++ b/certbot/CHANGELOG.md
@@ -41,6 +41,7 @@ More details about these changes can be found on our GitHub repo.
 ### Fixed

 * Fix collections.abc imports for Python 3.9.
+* Fix Apache plugin to use less restrictive umask for making the challenge directory when a restrictive umask was set when certbot was started.

 More details about these changes can be found on our GitHub repo.