Disbelief that people are taught to run scripts as root


#1

I think it is consensus that Let’s Encrypt is a great idea that was long overdue to change the Internet.

However, seeing that it advocates running a very complex client with root privileges on every server shocks me. I find it also shocking that people accept this, showing that security is still too little concern to people, ironically with people who are trying to improve security by using encryption.

I cannot understand how it was even possible for the client to have such a design. I’m quite bummed out the whole concept turned out like this.


#2

The reason why you need to run is as root is somewhat an additional proof, that you own the domain, as only root is able to start services on privileged ports (<1024).

However I agree with you, that the official client is some big black voodoo box. Yes, you could trust the guys behind Let’s encrypt that they did their job right and the software is secure.

If you don’t like the official client, check out List of Client Implementations for other clients. I personally use acme-tiny, because it fits my needs the most and has little to no dependencies on third-party libraries. Also it’s quite small so you can audit the code yourself.


#3

Running as root also gives the program the ability to enforce root-only access to the resulting certificate.


#4

I’m considering changing the rights of /etc/letsencrypt to mynormalusername:root. That way I can run the script as my daily user and the script can do whatever it wants in /etc/letsencrypt… Place all the certificates and so on… But the first instance of Apache (running as root) can access the certificates too, 'cause of the root GID rights :smile:

Haven’t tested it tho, but should be viable I recon…

As long as Let’s Encrypt is relying on custom Debian a2rmmod-scripts and so on I can’t use all those fancy automatically Apache shizzle, so only webroot for me… So I won’t be needing root anyway. Therefore, scripts shouldn’t be running as root if it isn’t needed indeed.


#5

Take a look at some of the spaghetti code from GNU you allow to run as root on your systems every day when you get the chance. It’ll give you a whole new outlook on worrying about a Python script running as root.


#6

Of course, having a custom user for the client, the program can set the permissions to 600, effectively enforcing the exact same without being root.


#7

An argument of the form “others are worse” are not to be taken seriously. Besides, on a typical server, applications having root privileges and interacting with the outside network are normally very limited, here on a FreeBSD installation they are sshd and openntpd, both of which make a big effort to use privilege separation to mitigate the risk.

Given how little need there is for the client to run as root, it is remarkable how little thought is spent on the subject.


#8

Have a look at acme_tiny.pl. This is roughly how I would have envisioned the official client in the first place, with third parties providing more wipe-my-ass-y solutions, not the other way around.


#9

@drtoful, @TCM: yes, thanks, acme_tiny.py is perfect. I still stand by my point that what Let’s Encrypt advocates is an awful practice to say the least.