[libre-riscv-dev] [Bug 182] Move to libre-soc.org

bugzilla-daemon at libre-riscv.org bugzilla-daemon at libre-riscv.org
Wed Feb 19 01:47:06 GMT 2020


http://bugs.libre-riscv.org/show_bug.cgi?id=182

--- Comment #22 from vklr at vkten.in <vklr at vkten.in> ---
(In reply to Jacob Lifshay from comment #21)
> (In reply to vklr at vkten.in from comment #20)
> > There is a nginx plugin but it is not safe. Webroot plugin is safer. It
> > generates a certificate in a directory, and we have to copy it to required
> > final place.
> 
> The way I did it was just making symlinks to the location that certbot
> stores the latest version of the certificate (it stores it in a subdirectory
> of /etc/letsencrypt with access only allowed by root). That way, no copying
> is needed, all that's needed is to have the appropriate programs reload the
> certificates.

Certificates should not be shared to all, but only to specific programs
we want to. They are kept in root accessible area for security measure.

But programs should not be allowed to run as root or have access to root
accessible area. Usually for isolating, programs are run in separate UID and
GID.
So they cannot access only root accessibly dirs.

It may be better to make separate Unix Group and User for certificate
distribution
purpose. Make a directory with that group and user. Copy the private key and
public certificates from /etc/letsencrypt/... to it. Make the directory group
permissions rx. Put the necessary programs/daemons process user to this Group.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the libre-riscv-dev mailing list