From a321c90db4a6d323f1a9bc06c4d861cee8868664 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 15 Feb 2021 00:32:29 +0100 Subject: Use dedicated system users for internal components. * The internal webserver now runs as a dedicated system user _lacme-www (and group nogroup) instead of www-data:www-data. This is configurable in the [webserver] section of the lacme(8) configuration file. * The internal ACME client now runs as a dedicated system user _lacme-client (and group nogroup) instead of nobody:nogroup. This is configurable in the [client] section of the lacme(8) configuration file. * The _lacme-www and _lacme-client system users are created automatically by lacme.postinst (hence a new Depends: adduser), and deleted on purge. (So make sure not to chown any file to these internal users.) --- debian/changelog | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'debian/changelog') diff --git a/debian/changelog b/debian/changelog index 9c56889..2eeeb5c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,14 @@ lacme (0.7-2) UNRELEASED; urgency=medium + * The internal webserver now runs as a dedicated system user _lacme-www + (and group nogroup) instead of www-data:www-data. This is configurable + in the [webserver] section of the lacme(8) configuration file. + * The internal ACME client now runs as a dedicated system user _lacme-client + (and group nogroup) instead of nobody:nogroup. This is configurable in + the [client] section of the lacme(8) configuration file. + * The _lacme-www and _lacme-client system users are created automatically by + lacme.postinst (hence a new Depends: adduser), and deleted on purge. (So + make sure not to chown any file to these internal users.) * d/control: New lacme-accountd Suggests: openssl, gpg (for account key generation and decryption). * Add d/upstream/signing-key.asc, the OpenPGP used to signed upstream tags. -- cgit v1.2.3