From owner-svn-src-head@freebsd.org Thu May 14 03:25:12 2020 Return-Path: Delivered-To: svn-src-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D2DEA2E375F; Thu, 14 May 2020 03:25:12 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49MxkJ5FjSz3HQd; Thu, 14 May 2020 03:25:12 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id AF89845D1; Thu, 14 May 2020 03:25:12 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 04E3PCTV050251; Thu, 14 May 2020 03:25:12 GMT (envelope-from kevans@FreeBSD.org) Received: (from kevans@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 04E3PCwA050250; Thu, 14 May 2020 03:25:12 GMT (envelope-from kevans@FreeBSD.org) Message-Id: <202005140325.04E3PCwA050250@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kevans set sender to kevans@FreeBSD.org using -f From: Kyle Evans Date: Thu, 14 May 2020 03:25:12 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r361022 - head/usr.sbin/certctl X-SVN-Group: head X-SVN-Commit-Author: kevans X-SVN-Commit-Paths: head/usr.sbin/certctl X-SVN-Commit-Revision: 361022 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 May 2020 03:25:12 -0000 Author: kevans Date: Thu May 14 03:25:12 2020 New Revision: 361022 URL: https://svnweb.freebsd.org/changeset/base/361022 Log: certctl(8): don't completely nuke $CERTDESTDIR It's been reported/noted that a well-timed `certctl rehash` will completely obliterate $CERTDESTDIR, which may get used by ports or system administrators. While we can't guarantee the certctl semantics when other non-certctl-controlled bits live here, we should make some amount of effort to play nice. Pruning all existing links, which we'll subsequently rebuild as needed, is sufficient for our needs. This can still be destructive, but it's perhaps less likely to cause issues. I also note that we should probably be pruning /etc/ssl/blacklisted upon rehash as well. Reported by: cem's dovecot server MFC after: 3 days Modified: head/usr.sbin/certctl/certctl.sh Modified: head/usr.sbin/certctl/certctl.sh ============================================================================== --- head/usr.sbin/certctl/certctl.sh Thu May 14 03:01:23 2020 (r361021) +++ head/usr.sbin/certctl/certctl.sh Thu May 14 03:25:12 2020 (r361022) @@ -142,9 +142,11 @@ do_list() cmd_rehash() { - [ $NOOP -eq 0 ] && rm -rf "$CERTDESTDIR" - [ $NOOP -eq 0 ] && mkdir -p "$CERTDESTDIR" - [ $NOOP -eq 0 ] && mkdir -p "$BLACKLISTDESTDIR" + if [ $NOOP -eq 0 ]; then + [ -e "$CERTDESTDIR" ] && find "$CERTDESTDIR" -type link -delete + mkdir -p "$CERTDESTDIR" + mkdir -p "$BLACKLISTDESTDIR" + fi do_scan create_blacklisted "$BLACKLISTPATH" do_scan create_trusted_link "$TRUSTPATH"