OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: beclar2 on March 19, 2017, 05:49:57 pm
-
Hi,
is it a desired behaviour of the Let´s encrypt Package that "Test config" makes certificates and keys readable for any user with shell access?
New certificates are stored under /var/etc/acme-client/home/name_of_the_certificate with owner root:wheel and permission 0750 (drwxr-x---). That means normal users with restricted shell access cannot access the subdirectory. So far, so good.
BUT: "Test config" via WebGui (Let´s Encrypt -> Settings) changes permissions of the directory to 0755 (=drwxr-xr-x). This makes the certificate, configuration and key file readable for any user with shell access.
Actually I can´t see any reason for this behaviour as "Test config" shouldn´t change any permissions.
Thanks
beclar2
-
Hmm, I've passed this to the maintainer of the plugin.
Thank you,
Franco
-
is it a desired behaviour of the Let´s encrypt Package that "Test config" makes certificates and keys readable for any user with shell access?
Actually I can´t see any reason for this behaviour as "Test config" shouldn´t change any permissions.
Good catch. Thank you! Will be fixed with the next release of our LE plugin:
https://github.com/opnsense/plugins/pull/91
The reason for this behaviour: The "Test config" button calls a setup script to ensure that the configuration is ready. But the setup script should not make sensitive data world-readable, apparently. Sorry for that.
Regards
- Frank
-
Thank you for the fast bug fix!
What about the account keys under /var/etc/acme-client/accounts/...? These are also world-readable and not part of ACME_DIRS in the setup script.