Is it safe for the www:data user to read the certificates folder?

majidtp · April 22, 2023, 5:30pm

hello
Is it safe for the www:data user to read the certificates folder?

I have run the following command for this and put it in cronjob as well

sudo setfacl -R -m u:www-data:rx /etc/letsencrypt/live/ /etc/letsencrypt/archive/

I have done this for postfixadmin to generate the hash

Does this work have a security issue?

Thank you for guiding me

Buffalo · April 22, 2023, 11:06pm

Short answer: it is not safe for www-data to be able to read
the private key. It is safe for www-data to read the public key.

majidtp · April 23, 2023, 12:31am

Thank you for your reply. I want to return to the default permission. What access (owner and permission) should I set?

Buffalo · April 23, 2023, 12:58am

On systems which start the web server as root, then degrade the permissions, you should have:

The private key owned by root, with permissions rw_______,
and the public key owned by root, with permissions rw_r__r__

The directory which contains those keys is typically owned
by root with permissions rwxr_xr_x

also typically, the web server is started by root, then degrades permissions to those of www-data. If your system does not do that, please fill out the questionnaire which asks which system and server you are using. The folks on here are quite knowledgeable, and will be able to respond to your specific system much better than my SWAG above.

I confess that my hurried response above was motivated by worry that your private key was exposed by inappropriate permissions. Edit: as an addendum, after you get this 'right' you
might consider obtaining a new certificate, which has not been exposed to jeopardy.

Bruce5051 · April 23, 2023, 1:12am

Or even the Price is The Price Is Right - Wikipedia

Buffalo · April 23, 2023, 1:19am

Buh! (A Comanche word, which expresses an appropriate reaction to Bruce5051's comment). This forum would not accept the short version, which is just "Buh!". LOL

barf7709 · April 23, 2023, 2:57am

@Buffalo could you share a link about the word

Buffalo · April 23, 2023, 3:12am

Going to PM

majidtp · April 23, 2023, 5:23pm

Hello, thank you for your reply.
I deleted the letsencrypt folder and created the keys with certbot command. And this time I didn't change the permission again.

This discussion is also open on GitHub.

thank you again.

system · May 23, 2023, 5:24pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[SOLVED] Possible serious security problem (private keys accessible by everyone) Help	4	1661	December 10, 2015
Public Key Permissions Client dev	4	1279	June 4, 2018
Private keys are world-readable Issuance Policy	4	3597	December 1, 2017
Best practice for exposing private key to locally installed programs? Server	5	6604	April 7, 2019
privkey1.pem has 644, better is 600 Help	8	8341	November 30, 2015

Is it safe for the www:data user to read the certificates folder?

Related topics