From ee5bedd1995fc95b6fce24ac5b35cd02bdb78bd6 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 27 Jan 2016 17:51:05 +0100
Subject: Use socat's su option instead of setuid/setgid.

Since while setgid changes the primary group of the process, it doesn't
drop other group related privileges
---
 letsencrypt | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'letsencrypt')

diff --git a/letsencrypt b/letsencrypt
index 60695eb..b6235cf 100755
--- a/letsencrypt
+++ b/letsencrypt
@@ -24,7 +24,6 @@ PATH=/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 NAME=$(basename $0)
 
 WWW_USER=www-data
-WWW_GROUP=www-data
 ACME_WEBSERVER=/usr/lib/letsencrypt-tiny/webserver
 ACME_CLIENT=/usr/lib/letsencrypt-tiny/client
 CAfile=/usr/share/letsencrypt-tiny/lets-encrypt-x1-cross-signed.pem
@@ -213,7 +212,7 @@ elif [ "$COMMAND" = 'new-cert' ]; then
     TMPFILES+=( "$x509" )
 
     [ ! "${RUNAS:-}" ] || chown "$RUNAS" "$CHALLENGE_DIR" "$x509"
-    chgrp "$WWW_GROUP" "$CHALLENGE_DIR"
+    chgrp "$(id -g -- "$WWW_USER")" "$CHALLENGE_DIR"
     chmod 0750 "$CHALLENGE_DIR"
 
     # Make sure a webserver is configured to server ACME challenges
@@ -231,8 +230,11 @@ elif [ "$COMMAND" = 'new-cert' ]; then
         (
             [ ! "$DEBUG" ] || echo "Starting ACME webserver in $CHALLENGE_DIR" >&2
             cd "$CHALLENGE_DIR" || exit 1
+            # use the "su" otion rather than "setuid/setgid" since while setgid
+            # changes the primary group of the process, it doesn't drop other
+            # group related privileges
             exec socat \
-                TCP-LISTEN:80,setgid="$WWW_GROUP",setuid="$WWW_USER",reuseaddr,fork,max-children=5 \
+                TCP-LISTEN:80,su="$WWW_USER",reuseaddr,fork,max-children=5 \
                 EXEC:"$ACME_WEBSERVER"
         )&
     fi
-- 
cgit v1.2.3