Open kpcyrd opened 4 years ago
I've tried to implement this and ran into issues because the systemd unit is too locked down to modify anything that isn't a child of /var/lib/acme-redirect (this means we can't modify or create the directory itself). I'd rather keep this restriction in place instead of opening it up to modify everything in /var/lib, which means we need to rely on system-tempfiles again, which means the directory is going to have a hardcoded group.
It's still possible to implement this with a different approach:
/var/lib/acme-redirect
o+x
/var/lib/acme-redirect/*
o-rwx
/var/lib/acme-redirect/*
I havn't dug into the PR or how setting a group would help, but here's one I used today: Setting up Apache was easy because it only needs to read the public key. Exim wants to read the private key. Rather than muching with the actual ownership, adding an ACL for the exim group to have read access:
[cert]
name = "example.com"
dns_names = [
"example.com",
]
exec = [
"setfacl -m g:exim:r /var/lib/acme-redirect/live/example.com/privkey",
"systemctl reload exim",
]
I wasn't even sure whether the file node would get destroyed on updates or the ACL get blown away, but there you have it. Assuming the order of exec
is deterministic...
There are currently two places where the group is relevant:
/var/lib/acme-redirect/
- systemd-tempfiles or openrc create this folder owned byacme-redirect:acme-redirect
and0750
./var/lib/acme-redirect/certs/*/privkey
- created during renew and is set to0640
. Since you're likely to need root for your reload hooks the group for this file is likely to end up asroot
.Services usually load the configuration privileged so this is not an issue, but they may need to be part of a specific group that is then granted access to
/var/lib/acme-redirect/
and/var/lib/acme-redirect/certs/*/privkey
.The config should have an optional value that (if set) enforces a specific group if the group wasn't already set correctly during creation. The default configuration should set this to
acme-redirect
to match existing setups (development is going to need a different config), even if the renew is executed in unprivileged mode. If renew is executed by root we have the permissions necessary to update the group accordingly.Our config value should be used for both of them, to ensure acme-redirect and systemd-tempfiles don't change this back and forth.
/var/lib/acme-redirect/
can only be created with root permissions, so this is going to be done during the daemon setup (which is the most reliable way for us to ensure the setup can be done as root).The owner for this folder is going to be:
--user
option inacme-redirect daemon
if setCreating the folder with openrc or systemd-tempfiles isn't necessary afterwards.