Closed slingamn closed 6 years ago
Are you really running stunnel as root?
That's correct.
Really what should happen here is that stunnel upstream should add support for seccomp-bpf; that way, the daemon's zygote can read arbitrary certificates and connect to arbitrary UNIX domain sockets, but the processes that actually serve traffic can be restricted to read/write/poll/gettimeofday.
That's one way of looking at it. Another way of looking at is that Unix has had capabilities for non-superuser processes to read credential files since day 1.
The hard part is getting cooperation from Certbot (which should probably have sole control over /etc/letsencrypt
).
Here's the totally ridiculous thing we do to make the certificates available to exim: https://github.com/darwin-network/slash/blob/000542cc675371d6c4600b8c432ed14d3db6e8ca/etc/cron.daily/install-exim-certificates
Check this out. I rescind my earlier comment about groups. The way this works on Apache, nginx, etc. is they start as root, read the certificates, and then call setuid() and setgid() to become unprivileged. stunnel supports two configuration options, setuid and setgid.
Closing out the discussion, there are three viable solutions:
setuid
and setgid
stunnel config options; make copies of the LE certificates owned by that uid/gid pair (because otherwise stunnel won't be able to SIGHUP reload them after dropping privileges). This is the solution that was implemented.
Use the
setuid
andsetgid
config lines; make sure it can still read the right certificates and connect to the right UNIX domain socket, even after SIGHUP.