Is it safe for the www:data user to read the certificates folder?

hello
Is it safe for the www:data user to read the certificates folder?

I have run the following command for this and put it in cronjob as well

sudo setfacl -R -m u:www-data:rx /etc/letsencrypt/live/ /etc/letsencrypt/archive/

I have done this for postfixadmin to generate the hash

Does this work have a security issue?

Thank you for guiding me

Short answer: it is not safe for www-data to be able to read
the private key. It is safe for www-data to read the public key.

9 Likes

Thank you for your reply. I want to return to the default permission. What access (owner and permission) should I set?

On systems which start the web server as root, then degrade the permissions, you should have:

The private key owned by root, with permissions rw_______,
and the public key owned by root, with permissions rw_r__r__

The directory which contains those keys is typically owned
by root with permissions rwxr_xr_x

also typically, the web server is started by root, then degrades permissions to those of www-data. If your system does not do that, please fill out the questionnaire which asks which system and server you are using. The folks on here are quite knowledgeable, and will be able to respond to your specific system much better than my SWAG above.

I confess that my hurried response above was motivated by worry that your private key was exposed by inappropriate permissions. Edit: as an addendum, after you get this 'right' you
might consider obtaining a new certificate, which has not been exposed to jeopardy.

11 Likes

Or even the Price is The Price Is Right - Wikipedia

7 Likes

Buh! (A Comanche word, which expresses an appropriate reaction to Bruce5051's comment). This forum would not accept the short version, which is just "Buh!". LOL

10 Likes

@Buffalo could you share a link about the word

6 Likes

Going to PM

7 Likes

Hello, thank you for your reply.
I deleted the letsencrypt folder and created the keys with certbot command. And this time I didn't change the permission again.

This discussion is also open on GitHub.

thank you again.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.