Merge pull request #1009 from bamarni/acme-perms

check permissions on acme.json during startup

acme/localStore.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
+	"os"
 	"sync"
 
 	"github.com/containous/traefik/cluster"
@@ -38,7 +39,21 @@ func (s *LocalStore) Load() (cluster.Object, error) {
 	s.storageLock.Lock()
 	defer s.storageLock.Unlock()
 	account := &Account{}
-	file, err := ioutil.ReadFile(s.file)
+
+	f, err := os.Open(s.file)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+	fi, err := f.Stat()
+	if err != nil {
+		return nil, err
+	}
+	if fi.Mode().Perm()&0077 != 0 {
+		return nil, fmt.Errorf("permissions %o for %s are too open, please use 600", fi.Mode().Perm(), s.file)
+	}
+
+	file, err := ioutil.ReadAll(f)
 	if err != nil {
 		return nil, err
 	}

server.go

@@ -499,7 +499,7 @@ func (server *Server) prepareServer(entryPointName string, router *middlewares.H
 	negroni.UseHandler(router)
 	tlsConfig, err := server.createTLSConfig(entryPointName, entryPoint.TLS, router)
 	if err != nil {
-		log.Errorf("Error creating TLS config %s", err)
+		log.Errorf("Error creating TLS config: %s", err)
 		return nil, err
 	}
 
@@ -517,7 +517,7 @@ func (server *Server) prepareServer(entryPointName string, router *middlewares.H
 		TLSConfig: tlsConfig,
 	}, tlsConfig)
 	if err != nil {
-		log.Errorf("Error hijacking server %s", err)
+		log.Errorf("Error hijacking server: %s", err)
 		return nil, err
 	}
 	return gracefulServer, nil