-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Audit file permissions for directories and files created by client and renewer #420
Comments
@jsha noticed that the client currently wants some directories to have mode 755 and this is mandatory. I'm not sure that's the right policy. |
Results of a partial audit, observing the results of running LE rather than reading all relevant code: Everything under /etc/letsencrypt/ is 700, except for Everything under There are world-readable backups of some things in |
Opened #1396 |
I think that's sufficient confidence to kick further work on this down the road for now. |
So, how to make it possible for a Rails server run as a normal user to access the keys on /live directory? |
@acrolink: Could you post your question at https://community.letsencrypt.org/? This issue is about a different question. Thanks! |
I did an audit of the files in all the
"enforced" means the permissions are verified with As I mentioned in #1473, the biggest problem is that the permissions on |
This is my server directory, totally managed by cerbot, I never changed any permission:
I think it's way too permissing, expecially for the Private key. |
Hi @maurorappa! We fixed this in #6480, which should be in the most recent release of Certbot v0.29.1. Regardless, your private key should still be safe as long as the permissions on the containing directories have remained the same (non group or world readable) as when Certbot created them. |
We've made a lot of changes to Certbot since this issue was opened. If you still have this issue with an up-to-date version of Certbot, can you please add a comment letting us know? This helps us to better see what issues are still affecting our users. If there is no activity in the next 30 days, this issue will be automatically closed. |
It seems that we finished the audit, so closing. If we want to do a file directory structure rehaul in the future, that should go in a new issue. |
I don't specifically know that they're wrong, but we need to check them to make sure they're all reasonable.
The text was updated successfully, but these errors were encountered: