[Letsencrypt-devel] Bug#873944: acmetool: private keys should be readable by ssl-cert group

David Magda david.magda at oicr.on.ca
Fri Sep 1 12:50:05 UTC 2017

Package: acmetool
Version: 0.0.59-1+b1
Severity: wishlist

There is a bit of a convention, created by the "ssl-cert" package AFAICT,
that private keys are owned by the group "ssl-cert". This allows packages
to not run as root but still have use the certs.

It also allows for processes to drop privileges and still have access if
they do a "reload".

The way the "ssl-cert" package does it is that it has a "postinst"
script that create the group if it doesn't already exist:

        # Create the ssl-cert system group for snakeoil ownership:
        if ! getent group ssl-cert >/dev/null; then
                addgroup --quiet --system --force-badname ssl-cert


For "acmetool" it may need to be a "preinst" script so newly created dirs
can be chgrp'd properly.

That would mean that "/var/lib/acme/keys/" would be owned by "ssl-cert" 
group and be have the set-GID bit on so new sub-dirs (and files with-in 
them) have correct ownership. The umask would probably also have to change 
from 077 to 027.

-- System Information:
Debian Release: 8.9
  APT prefers oldstable
  APT policy: (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages acmetool depends on:
ii  init-system-helpers  1.22
ii  libc6                2.19-18+deb8u10
ii  libcap2              1:2.24-8

Versions of packages acmetool recommends:
pn  dialog  <none>

acmetool suggests no packages.

-- no debconf information

More information about the Letsencrypt-devel mailing list