-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set permissions of privkey.pem to 0600 #1760
Conversation
Sendmail requires privkey.pem to be unreadable by anything except root. Create privkey.pem as 0600, and make the permissions of the certificate files explictly 0644. Writing through the live symlink to the archive directory prevents using O_EXCL | O_CREAT, so write directly to the archive instead.
Fixes #1473 |
That would break, e.g., cyrus-imapd, since it doesn't run as root (note that it doesn't work by default either unless I manually chgrp the certificates to mail and change the permission/group of the containing directories). |
The same problem breaks opensmtpd:
I need to manually change the permissions to fix this:
There's something else strange here: the symlink's permissions are 777, even though the actual file isn't. The permissions of the symlinks should match the permissions of the files! Some programs are going to be more or less picky about permissions than others, and I suspect some will flat out contradict (e.g. if a program assumes the certs are owned by its user, or difference of opinion about if certs should be read pre or post priv-dropping). #1504 argues that each specific piece of software should get a different adaptor script. I don't know what's best. |
It seems we will want it to be configurable, but it's still not clear what the best default is. (When using a specific installer, the installer could maybe have a default that's appropriate for the software that the installer is integrating with, but we're not always using a specific installer because people also want certs for external software that we don't directly integrate with or that they don't want us to configure for them.) |
If someone else reviews this, note also the parallel PR #1705 for the same purpose. |
I'm surprised by Cyrus' behavior. Most other daemons (eg postfix, apache) start up as root to get the keys, then drop to a non-privileged user. |
👍 to avoiding knobs in letsencrypt. Daemons are not consistent and that is hard to support, but the more configuration in core letsencrypt the more chance for something to go wrong. Maybe there should be a letsencrypt group ( |
Using Debian 8, there's a group |
Configurable permissions and ownership for certificates and files would be nice. Another example: Prosody drops root long before it even starts. Even a hidden option somewhere to chown/chmod certificates and keys meant for it to a different user would make using Let's Encrypt with it much easier. |
I just renewed my certs and this issue bit me again. I cannot set up auto-renew because opensmtpd is prissy: I must go in and manually I see that since I last checked in, I could use hard-links to effectively lie to smtpd about the permissions:
and arrange for smtpd to use the stable address of
but this requires me to redo it every time I renew and for each domain vhosted. |
Oh wait scratch that I don't know how hardlinks work: permissions are on the inode, not the directory entry, so hardlinks share permissions. Which I guess makes sense. So instead of
|
@convissor: As noted in this thread there are many daemons not reading key material with "root". Exim is another notable example. So we need a solution for them. @kousu: While less knobs in letsencrypt are generally a good idea I think we need some here. The ability to screw up can be mitigated by a safe default which is "mode=0600" with uid/gid root/root. Hence most people will be safe by default and admins can opt in to set an unsafe default. |
@kousu: renew hooks were merged today (3d26048). This might be best workaround to set permissions/ownership short of a specialized config option (which I still prefer, seems to be harder to mess up on the admin side + doesn't require admins to write the same logic over and over again). |
Setting the permissions as a post hook is a terrible, broken idea; that means that the permissions are temporarily too permissive. A better workaround would be to just set the umask to something more restrictive. |
Friendly bump. Also just got burned by opensmtpd on this:
|
FWIW, I think that the best solution is just to configure the process' umask appropriately. If running certbot from a systemd service, stick the line At the end of the day, setting the process' umask is the standard, configurable, way to control the permissions files created by a process. It's not a hack, it's the standard Unix administration way of doing it. Meanwhile, if it set the permissions to 0600 explicitly in the source, then I would have to resort to hacks to get a nice 0640 permission allowing services (nginx, smtpd, et c.) never need root, but just to be a member of the special cert-reading group. On the other hand, having them be 0644 by default is antagonistic to certbot's goal of being as close to magical and zero-setup as possible, as 0644 is pretty wrong. Perhaps the best thing to do is to set the umask explicitly at program startup, and add a --umask flag that changes the umask away from the default 0077. |
👍 to @LukeShu |
Re: umask on the process, won't that affect the operation of I think I agree in principle that umask 0077 is a good default, but considering all the automagical stuff that |
@blendmaster You are right, 0077 might interfere with webroot. On the other hand, you could use FACLs on the certs directory to set a default permission on the directory itself (essentially setting a per-directory umask, instead of a per-process umask). But yes, a flag is probably the best option. |
Thanks for this suggestion. I did:
and renewed certs do get created at 600. The public key and chain are unfortunately also only root-accessible now, but at least for me, that's fine. |
Sendmail requires privkey.pem to be unreadable by anything except
root. Create privkey.pem as 0600, and make the permissions of the
certificate files explictly 0644.
Writing through the live symlink to the archive directory prevents
using O_EXCL | O_CREAT, so write directly to the archive instead.