diff options
| -rwxr-xr-x | letsencrypt | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/letsencrypt b/letsencrypt index 60695eb..b6235cf 100755 --- a/letsencrypt +++ b/letsencrypt @@ -24,7 +24,6 @@ PATH=/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin NAME=$(basename $0) WWW_USER=www-data -WWW_GROUP=www-data ACME_WEBSERVER=/usr/lib/letsencrypt-tiny/webserver ACME_CLIENT=/usr/lib/letsencrypt-tiny/client CAfile=/usr/share/letsencrypt-tiny/lets-encrypt-x1-cross-signed.pem @@ -213,7 +212,7 @@ elif [ "$COMMAND" = 'new-cert' ]; then TMPFILES+=( "$x509" ) [ ! "${RUNAS:-}" ] || chown "$RUNAS" "$CHALLENGE_DIR" "$x509" - chgrp "$WWW_GROUP" "$CHALLENGE_DIR" + chgrp "$(id -g -- "$WWW_USER")" "$CHALLENGE_DIR" chmod 0750 "$CHALLENGE_DIR" # Make sure a webserver is configured to server ACME challenges @@ -231,8 +230,11 @@ elif [ "$COMMAND" = 'new-cert' ]; then ( [ ! "$DEBUG" ] || echo "Starting ACME webserver in $CHALLENGE_DIR" >&2 cd "$CHALLENGE_DIR" || exit 1 + # use the "su" otion rather than "setuid/setgid" since while setgid + # changes the primary group of the process, it doesn't drop other + # group related privileges exec socat \ - TCP-LISTEN:80,setgid="$WWW_GROUP",setuid="$WWW_USER",reuseaddr,fork,max-children=5 \ + TCP-LISTEN:80,su="$WWW_USER",reuseaddr,fork,max-children=5 \ EXEC:"$ACME_WEBSERVER" )& fi |