Certificate access by group

[kpcyrd]

There are currently two places where the group is relevant:

• /var/lib/acme-redirect/ - systemd-tempfiles or openrc create this folder owned by acme-redirect:acme-redirect and 0750.
• /var/lib/acme-redirect/certs/*/privkey - created during renew and is set to 0640. Since you're likely to need root for your reload hooks the group for this file is likely to end up as root.

Services usually load the configuration privileged so this is not an issue, but they may need to be part of a specific group that is then granted access to /var/lib/acme-redirect/ and /var/lib/acme-redirect/certs/*/privkey.

The config should have an optional value that (if set) enforces a specific group if the group wasn't already set correctly during creation. The default configuration should set this to acme-redirect to match existing setups (development is going to need a different config), even if the renew is executed in unprivileged mode. If renew is executed by root we have the permissions necessary to update the group accordingly.

Our config value should be used for both of them, to ensure acme-redirect and systemd-tempfiles don't change this back and forth. /var/lib/acme-redirect/ can only be created with root permissions, so this is going to be done during the daemon setup (which is the most reliable way for us to ensure the setup can be done as root).

The owner for this folder is going to be:

• set according to the --user option in acme-redirect daemon if set
• left as-is if it isn't set
• if it doesn't exist we're going to create it with the owner being the current user (which is likely to be root)

Creating the folder with openrc or systemd-tempfiles isn't necessary afterwards.

[kpcyrd]

I've tried to implement this and ran into issues because the systemd unit is too locked down to modify anything that isn't a child of /var/lib/acme-redirect (this means we can't modify or create the directory itself). I'd rather keep this restriction in place instead of opening it up to modify everything in /var/lib, which means we need to rely on system-tempfiles again, which means the directory is going to have a hardcoded group.

It's still possible to implement this with a different approach:

• make /var/lib/acme-redirect o+x
• make /var/lib/acme-redirect/* o-rwx
• set the group from the config for /var/lib/acme-redirect/*

[alerque]

I havn't dug into the PR or how setting a group would help, but here's one I used today: Setting up Apache was easy because it only needs to read the public key. Exim wants to read the private key. Rather than muching with the actual ownership, adding an ACL for the exim group to have read access:

[cert]
name = "example.com"
dns_names = [
    "example.com",
]
exec = [
    "setfacl -m g:exim:r /var/lib/acme-redirect/live/example.com/privkey",
    "systemctl reload exim",
]

I wasn't even sure whether the file node would get destroyed on updates or the ACL get blown away, but there you have it. Assuming the order of exec is deterministic...