/var/lib/acme/conf/target file permission

[moll]

Hey,

Thanks for maintaining acmetool. It seems exactly what I was after — an idempotent and declarative ACME client.

I'm setting up a DNS hook and added the TSIG key as an environment variable to /var/lib/acme/conf/target. However on running acmetool, it warns of its permissions:

20220313183755 [WARN] fdb: "conf/target" has wrong mode -rw-r-----, changing to -rw-r--r--

Why is that? Given the target file now contains credentials, I'd definitely not want it to be world-readable.

Thanks!

[hlandau]

You can override permissions enforcement using this file: https://github.com/hlandau/acmetool/blob/master/_doc/contrib/perm.example

[moll]

Ah, thanks. That'll do it.

You might want to add it to https://github.com/hlandau/acmetool/blob/master/_doc/SCHEMA.md, too, as right now I don't think I would've discovered it without your help.

[moll]

I gave perm a try and if I'm not mistaken, it expects to set permissions on entire directory. I was attempting to only lock down conf/target, but that errs with:

20220314150328 [CRITICAL] acmetool: fatal: storage: open fdb: mkdir /var/lib/acme/conf/target: not a directory

That it turn makes me think that individual certs could use a permission system. For example, the private certificate for an SMTP server would need to be owned by Postfix, whereas a certificate for a web server should only be readable by it. How do you handle these situations? State directories have a very large structure overhead, so I'm not too keen on duplicating them per-service.

Thanks!