diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2016-01-27 17:51:05 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2016-01-27 18:03:09 +0100 |
| commit | ee5bedd1995fc95b6fce24ac5b35cd02bdb78bd6 (patch) | |
| tree | 4460c7c1e3ddca78ecad37e66a5c21ac71ccf87f | |
| parent | 589bccb512a2a3d99366df90bcaa7f4ae94f82b5 (diff) | |
Use socat's su option instead of setuid/setgid.
Since while setgid changes the primary group of the process, it doesn't
drop other group related privileges
| -rwxr-xr-x | letsencrypt | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/letsencrypt b/letsencrypt index 60695eb..b6235cf 100755 --- a/letsencrypt +++ b/letsencrypt @@ -24,7 +24,6 @@ PATH=/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin NAME=$(basename $0) WWW_USER=www-data -WWW_GROUP=www-data ACME_WEBSERVER=/usr/lib/letsencrypt-tiny/webserver ACME_CLIENT=/usr/lib/letsencrypt-tiny/client CAfile=/usr/share/letsencrypt-tiny/lets-encrypt-x1-cross-signed.pem @@ -213,7 +212,7 @@ elif [ "$COMMAND" = 'new-cert' ]; then TMPFILES+=( "$x509" ) [ ! "${RUNAS:-}" ] || chown "$RUNAS" "$CHALLENGE_DIR" "$x509" - chgrp "$WWW_GROUP" "$CHALLENGE_DIR" + chgrp "$(id -g -- "$WWW_USER")" "$CHALLENGE_DIR" chmod 0750 "$CHALLENGE_DIR" # Make sure a webserver is configured to server ACME challenges @@ -231,8 +230,11 @@ elif [ "$COMMAND" = 'new-cert' ]; then ( [ ! "$DEBUG" ] || echo "Starting ACME webserver in $CHALLENGE_DIR" >&2 cd "$CHALLENGE_DIR" || exit 1 + # use the "su" otion rather than "setuid/setgid" since while setgid + # changes the primary group of the process, it doesn't drop other + # group related privileges exec socat \ - TCP-LISTEN:80,setgid="$WWW_GROUP",setuid="$WWW_USER",reuseaddr,fork,max-children=5 \ + TCP-LISTEN:80,su="$WWW_USER",reuseaddr,fork,max-children=5 \ EXEC:"$ACME_WEBSERVER" )& fi |