svn commit: r361022 - head/usr.sbin/certctl

[Kyle Evans]

Author: kevans
Date: Thu May 14 03:25:12 2020
New Revision: 361022
URL: https://svnweb.freebsd.org/changeset/base/361022

Log:
  certctl(8): don't completely nuke $CERTDESTDIR
  
  It's been reported/noted that a well-timed `certctl rehash` will completely
  obliterate $CERTDESTDIR, which may get used by ports or system
  administrators. While we can't guarantee the certctl semantics when other
  non-certctl-controlled bits live here, we should make some amount of effort
  to play nice.
  
  Pruning all existing links, which we'll subsequently rebuild as needed, is
  sufficient for our needs. This can still be destructive, but it's perhaps
  less likely to cause issues.
  
  I also note that we should probably be pruning /etc/ssl/blacklisted upon
  rehash as well.
  
  Reported by:	cem's dovecot server
  MFC after:	3 days

Modified:
  head/usr.sbin/certctl/certctl.sh

Modified: head/usr.sbin/certctl/certctl.sh
==============================================================================
--- head/usr.sbin/certctl/certctl.sh	Thu May 14 03:01:23 2020	(r361021)
+++ head/usr.sbin/certctl/certctl.sh	Thu May 14 03:25:12 2020	(r361022)
@@ -142,9 +142,11 @@ do_list()
 cmd_rehash()
 {
 
-	[ $NOOP -eq 0 ] && rm -rf "$CERTDESTDIR"
-	[ $NOOP -eq 0 ] && mkdir -p "$CERTDESTDIR"
-	[ $NOOP -eq 0 ] && mkdir -p "$BLACKLISTDESTDIR"
+	if [ $NOOP -eq 0 ]; then
+		[ -e "$CERTDESTDIR" ] && find "$CERTDESTDIR" -type link -delete
+		mkdir -p "$CERTDESTDIR"
+		mkdir -p "$BLACKLISTDESTDIR"
+	fi
 
 	do_scan create_blacklisted "$BLACKLISTPATH"
 	do_scan create_trusted_link "$TRUSTPATH"