[Letsencrypt-devel] Bug#873944: acmetool: private keys should be readable by ssl-cert group
david.magda at oicr.on.ca
Fri Sep 1 12:50:05 UTC 2017
There is a bit of a convention, created by the "ssl-cert" package AFAICT,
that private keys are owned by the group "ssl-cert". This allows packages
to not run as root but still have use the certs.
It also allows for processes to drop privileges and still have access if
they do a "reload".
The way the "ssl-cert" package does it is that it has a "postinst"
script that create the group if it doesn't already exist:
# Create the ssl-cert system group for snakeoil ownership:
if ! getent group ssl-cert >/dev/null; then
addgroup --quiet --system --force-badname ssl-cert
For "acmetool" it may need to be a "preinst" script so newly created dirs
can be chgrp'd properly.
That would mean that "/var/lib/acme/keys/" would be owned by "ssl-cert"
group and be have the set-GID bit on so new sub-dirs (and files with-in
them) have correct ownership. The umask would probably also have to change
from 077 to 027.
-- System Information:
Debian Release: 8.9
APT prefers oldstable
APT policy: (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages acmetool depends on:
ii init-system-helpers 1.22
ii libc6 2.19-18+deb8u10
ii libcap2 1:2.24-8
Versions of packages acmetool recommends:
pn dialog <none>
acmetool suggests no packages.
-- no debconf information
More information about the Letsencrypt-devel