nixos/acme: Make challenges world readable #101726
Motivation for this change
By making it world-readable,
Additionally, change the tmpfiles rule
The challenge data does not need to be kept private
Note that lego already writes any challenge files out as 644,
No units should not leak any sensitive data from this:
Note that all units also use PrivateTmp so we only need to consider
The text was updated successfully, but these errors were encountered:
By making it world-readable, this enables setting a `group` for a given cert that does not include the webserver used for an http-01 challenge. For example, this allows setting the group to `postgres` while using `nginx` to serve the challenge, without having to create a group containing both `postgres` and `nginx`. Additionally, change the tmpfiles rule to always create the directory as owned by acme to avoid duplicate tmpfiles for the same webroot trying to make it be owned by different groups (e.g. both `nginx` and `postgres`), which causes: ``` setting up tmpfiles /etc/tmpfiles.d/00-nixos.conf:23: Duplicate line for path "/var/lib/acme/acme-challenge/.well-known/acme-challenge", ignoring. ``` The challenge data does not need to be kept private (as it is world-accessible over HTTP to fulfill the challenge!) so this is safe to do. Note that lego already writes any challenge files out as 644, but the UMask was impeding this by preventing world-readability. Omitting it will cause us to use systemd's default of 022. No units should not leak any sensitive data from this: - minica creates self-signed certs which are not sensitive since they won't be trusted - lego creates account and cert files with 600 permissions. Note that all units also use PrivateTmp so we only need to consider files which are directly output into a directory in BindPaths; they all also chmod their outputs to appropriate permissions, but that is not sufficient as we don't want any window (i.e. before chmod) with insecure permissions on relevant files.
AFAICT this was added in #91121 but I didn't see any discussion/specific rationale for it, lmk if I missed something. (Learned a neat trick with PrivateTmp and BindPath from that PR!)
Note that I also ran into #101389 (comment) some additional setup to be able to get a cert for PostgreSQL, but this was the first hurdle I ran into and think it will be useful for other non-PostgreSQL services.
Code where lego writes out files: