aboutsummaryrefslogtreecommitdiffstats
path: root/letsencrypt
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2016-01-27 17:51:05 +0100
committerGuilhem Moulin <guilhem@fripost.org>2016-01-27 18:03:09 +0100
commitee5bedd1995fc95b6fce24ac5b35cd02bdb78bd6 (patch)
tree4460c7c1e3ddca78ecad37e66a5c21ac71ccf87f /letsencrypt
parent589bccb512a2a3d99366df90bcaa7f4ae94f82b5 (diff)
Use socat's su option instead of setuid/setgid.
Since while setgid changes the primary group of the process, it doesn't drop other group related privileges
Diffstat (limited to 'letsencrypt')
-rwxr-xr-xletsencrypt8
1 files changed, 5 insertions, 3 deletions
diff --git a/letsencrypt b/letsencrypt
index 60695eb..b6235cf 100755
--- a/letsencrypt
+++ b/letsencrypt
@@ -24,7 +24,6 @@ PATH=/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
NAME=$(basename $0)
WWW_USER=www-data
-WWW_GROUP=www-data
ACME_WEBSERVER=/usr/lib/letsencrypt-tiny/webserver
ACME_CLIENT=/usr/lib/letsencrypt-tiny/client
CAfile=/usr/share/letsencrypt-tiny/lets-encrypt-x1-cross-signed.pem
@@ -213,7 +212,7 @@ elif [ "$COMMAND" = 'new-cert' ]; then
TMPFILES+=( "$x509" )
[ ! "${RUNAS:-}" ] || chown "$RUNAS" "$CHALLENGE_DIR" "$x509"
- chgrp "$WWW_GROUP" "$CHALLENGE_DIR"
+ chgrp "$(id -g -- "$WWW_USER")" "$CHALLENGE_DIR"
chmod 0750 "$CHALLENGE_DIR"
# Make sure a webserver is configured to server ACME challenges
@@ -231,8 +230,11 @@ elif [ "$COMMAND" = 'new-cert' ]; then
(
[ ! "$DEBUG" ] || echo "Starting ACME webserver in $CHALLENGE_DIR" >&2
cd "$CHALLENGE_DIR" || exit 1
+ # use the "su" otion rather than "setuid/setgid" since while setgid
+ # changes the primary group of the process, it doesn't drop other
+ # group related privileges
exec socat \
- TCP-LISTEN:80,setgid="$WWW_GROUP",setuid="$WWW_USER",reuseaddr,fork,max-children=5 \
+ TCP-LISTEN:80,su="$WWW_USER",reuseaddr,fork,max-children=5 \
EXEC:"$ACME_WEBSERVER"
)&
fi