From e9a2ac4980bf299dd2daab947c8131a594fa8d65 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Sat, 25 Jun 2022 17:35:23 +0000 Subject: [PATCH] go/secretsmgr: set group after deleting files --- go/secretsmgr/secretsmgr.go | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/go/secretsmgr/secretsmgr.go b/go/secretsmgr/secretsmgr.go index 79fe7425ff..f5983699c2 100644 --- a/go/secretsmgr/secretsmgr.go +++ b/go/secretsmgr/secretsmgr.go @@ -479,12 +479,6 @@ func shouldRenewACMECert(c acmeCertificate) (bool, error) { } func writeCertificate(certDef acmeCertificate, cert *vapi.Secret) error { - restoreGroup, err := setGroup(certDef.Group) - if err != nil { - return fmt.Errorf("setting group to write output: %w", err) - } - defer restoreGroup() - setFiles := []struct { name string content []byte @@ -504,10 +498,18 @@ func writeCertificate(certDef acmeCertificate, cert *vapi.Secret) error { }} for _, sf := range setFiles { - log.Infof("writing file %v mode %s", sf.name, sf.perm) - os.Remove(sf.name) // optimistically try to remove the file, we don't care if it succeeds // if it doesn't, we'll error when we try to open it + } + + restoreGroup, err := setGroup(certDef.Group) + if err != nil { + return fmt.Errorf("setting group to write output: %w", err) + } + defer restoreGroup() + + for _, sf := range setFiles { + log.Infof("writing file %v mode %s group %s", sf.name, sf.perm, certDef.Group) f, err := os.OpenFile(sf.name, os.O_WRONLY|os.O_CREATE|os.O_EXCL, sf.perm) if err != nil {