prosodyctl: Set stricter umask while generating key (thanks darkrain)

diff --git a/prosodyctl b/prosodyctl
index 12117c0f25b266ce2c764ef2baf510fae059db1b..93eac3f2e0b84e2e53ebfc3f2a0b6d1d93fd5fd7 100755 (executable)
--- a/prosodyctl
+++ b/prosodyctl
@@ -686,11 +686,13 @@ function cert_commands.key(arg)
                if ask_overwrite(key_filename) then
                        return nil, key_filename;
                end
-               os.remove(key_filename); -- We chmod this file to not have write permissions
+               os.remove(key_filename); -- This file, if it exists is unlikely to have write permissions
                local key_size = tonumber(arg[2] or show_prompt("Choose key size (2048):") or 2048);
+               local old_umask = pposix.umask("0377");
                if openssl.genrsa{out=key_filename, key_size} then
                        os.execute(("chmod 400 '%s'"):format(key_filename));
                        show_message("Key written to ".. key_filename);
+                       pposix.umask(old_umask);
                        return nil, key_filename;
                end
                show_message("There was a problem, see OpenSSL output");