Letsencrypt.log files permissions

Hello.

I just began using Lets’ Encrypt/cerbot some days ago.
I’m using the following packages on a CentOS Linux release 7.6.1810 (Core) server:
python2-certbot-0.34.2-3.el7.noarch
python2-certbot-apache-0.34.2-1.el7.noarch
certbot-0.34.2-3.el7.noarch

I observe that log files created in /var/log/letsencrypt directory have 0644 permissions.
Wouldn’t it be preferable to set the 0600?
I know close to nothing in Python, however I grep this in /usr/lib/python2.7/site-packages/certbot/log.py:
The file is created with permissions 600.

==> is there something I could to force 0600 permissions on log files?

Thank you.

Hi @S3cN3tSys,

Welcome to the community forum!

I did some digging on one of my Cent7 boxes. The interesting bit here is the constants.py file which contains the logs_dir variable.

$ grep -r "/var/log/letsencrypt"  /usr/lib/python2.7/site-packages/certbot
tests/testdata/sample-renewal.conf:logs_dir = /var/log/letsencrypt
tests/testdata/sample-renewal-ancient.conf:logs_dir = /var/log/letsencrypt
Binary file constants.pyc matches
constants.py:    logs_dir="/var/log/letsencrypt",

That variable points to /usr/lib/python2.7/site-packages/certbot/log.py just as you mentioned. Investigating that file shows us the following function

def setup_log_file_handler(config, logfile, fmt):
     util.set_up_core_dir(
         config.logs_dir, 0o700, os.geteuid(), config.strict_permissions)
     log_file_path = os.path.join(config.logs_dir, logfile)

which creates /var/log/letsencrypt with 0700 permissions

# ls -al /var/log | grep letsencrypt
drwx------.  2 root     root       36864 Jul  2 17:21 letsencrypt

As for the files inside that directory we’ll need to look at umask instead of certbot. umask set’s the file mode creation mask.

Here are the default values on a Cent7 VM hence the 644 permissions on the /var/log/letsencrypt/letsencrypt.log files.

$ sudo umask
0022
$ umask
0002

The umask values get set by /etc/profile. For more information on why that file exists, check out https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/.

$ grep -C3 umask /etc/profile
# By default, we want umask to get set. This sets it for login shell
# Current threshold for system reserved uid/gids is 200
# You could check uidgid reservation validity in
# /usr/share/doc/setup-*/uidgid file
if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
    umask 002
else
    umask 022
fi

I hope this helped!

2 Likes

Hello.

Thank you so much for your detailed answer.
I had thought about umask, however I’d think that certbot’s setting would have prevalence over user’s umask. And it appears that it doesn’t.
I certainly don’t want to change umask globally.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.