A certain user can't access the cert-files


#1

Hi

I’m currently baffled by a riddle and i’m not sure if i should trust the internet. I have the certificates for office.grosskopfgames.de in the live folder, i can use them if i copy them out, but because standardwise /etc/letsencrypt/live and /etc/letsencrypt/archive are 700 root:root of course when i run libreoffice online as the user lool it cannot access the private key and the certificate as they are in this folder. Nginx on the other hand is able to access files in there. How does this work? on the internet people claim i should just give my user read rights to the live and the archive folder but i feel having my certificate readable by such user would compromise the security of all my private keys or am i wrong about this? how does nginx manage to read those files?

greetings, Gerrit

My domain is:
office.grosskopfgames.de
I ran this command:
loolwsd 3.1 as user lool with the certificates pointing at a copy of the certificates and pointing at the file in /etc/letsencrypt/live
It produced this output:
it crashed when i made it point at the /letsencrypt/live but not when i pointed it at the copy
My web server is (include version):
nginx
The operating system my web server runs on is (include version):
ubuntu 16.04
My hosting provider, if applicable, is:
Strato in germany
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no


#2

nginx and similar daemons start with root privileges, and drop them before they start processing requests (or other variations on that theme, such as a privileged master process).

e.g. here you can see the master runs as root, but the actual worker that processes requests runs as a non-privileged user:

If you want a non-privileged user to be able to access the private key and certificate files, then you could either:

  • Use filesystem ACLs to grant read permissions, or
  • Use a deploy hook upon certificate issuance/renewal to copy the private key and certificate to another directory that is readable by the lower-privileged user

#3

thank you a lot, then it shall be the hooks to use, that way i don’t compromise the security of the other certificate’s private keys as much ^^ finally no more self signed stuff in my libre office online installation :smiley:


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.