Certbot-auto has insecure permissions!

Hello,

all works fine, also the renewal of the certs, but every time the cronjob run to check the certs I get this error message:

/etc/cron.daily/letscencrypt:
/opt/letsencrypt/certbot-auto has insecure permissions!
To learn how to fix them, visit Certbot-auto deployment best practices

The command, which is executed:
/opt/letsencrypt/certbot-auto renew --quiet --post-hook “systemctl reload apache2”

I checked the permission:
$ ls -la /opt/letsencrypt/certbot-auto
-rwxr-xr-x 1 root root 68699 Nov 7 00:07 /opt/letsencrypt/certbot-auto

It looks fine. Or not? What is the error?

The version of certbot-auto:
$ /opt/letsencrypt/certbot-auto --version
Requesting to rerun /opt/letsencrypt/certbot-auto with root privileges…
/opt/letsencrypt/certbot-auto has insecure permissions!
To learn how to fix them, visit Certbot-auto deployment best practices
certbot 0.40.1

My OS: Ubuntu 18.04.3 LTS

Who can give my a hint?

Best regards
Maik

1 Like

What’s the output of

ls -ld /opt/letsencrypt/

?

It should overcome the lack of root privilege.
But ideally you would run the job using sudo.

That’s just when he ran certbot for the --version information…

Yeah but that will happen every time certbot is run no - including within cron?
I think I’m chasing a red herring…

The output is:
drwxrwxr-x 14 maik maik 4096 Nov 7 00:07 /opt/letsencrypt/

Greeting
Maik

Cron scripts from the /etc/cron.<timeinterval>/ will run as root. Also, the error you’re focussing on wasn’t in the first error presented by @istler and is probably totally not relevant for this thread.

Well, that owner isn’t root :wink: From Certbot-auto deployment best practices (as linked in the error you’ve posted):

Make sure that the directory path containing certbot-auto (which includes every directory accessed in the absolute path to certbot-auto ) doesn’t allow writing for low privileged users.

That is true,
but

$ ls -ld /opt/letsencrypt/
drwxr-xr-x 14 root root 4096 Nov 7 00:07 /opt/letsencrypt/

Did not solve my problem.

And /opt/?  

Please show:
which certbot-auto

Okay, this fix the problem.

ls -ld /opt/
drwxr-xrwx 5 root root 4096 Mär 11 2018 /opt/
maik@dagobert:~ sudo chmod 755 /opt/ maik@dagobert:~ /opt/letsencrypt/certbot-auto --version
Requesting to rerun /opt/letsencrypt/certbot-auto with root privileges…
certbot 0.40.1

But isn’t that too far-reaching? I can understand that the letsencrypt folder still needs write protection, but folders above?

1 Like

Better safe than sorry?
Could a lower priv user override the chmod on the lower paths and get in anyway?
[owner is owner]

When the folder /opt has write access to everyone, an the folder /opt/letsencrypt has only write access to root, than only root can change the privilege from the folder letsencrypt, not erveryone. But everyone can create a new folder / file in the folder /opt.

In the opt folder (optional) war normaly other optional software, which own other user. Normaly no process / appliaction should run as root.

Sorry for being late in the game. If everyone has write access to /opt, then anyone could do:

mv /opt/letsencrypt /opt/somethingelse
mkdir /opt/letsencrypt
echo 'echo owned >> /root/owned' > /opt/letsencrypt/letsencrypt-auto
chmod -R a+x /opt/letsencrypt

and it would fire the next time the root cronjob runs letsencrypt-auto with root privileges.

3 Likes