Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Insecure permissions for /etc/letsencrypt #1307

Closed
1 of 2 tasks
NiceGuyIT opened this issue Oct 9, 2022 · 2 comments
Closed
1 of 2 tasks

Insecure permissions for /etc/letsencrypt #1307

NiceGuyIT opened this issue Oct 9, 2022 · 2 comments
Assignees
@wh1te909

Comments

@NiceGuyIT
Copy link
Contributor

Server Info (please complete the following information):

  • OS: Ubuntu 20.04.4 LTS
  • Browser: Firefox 103.0.2 (64-bit)
  • RMM Version (as shown in top left of web UI): v0.15.0

Installation Method:

  • Standard
  • Docker

Agent Info (please complete the following information):

  • Agent version (as shown in the 'Summary' tab of the agent from web UI): N/A
  • Agent OS: N/A

Describe the bug
Line 171 of the install.sh script changes permissions of /etc/letsencrypt to allow everyone read access to the rmm/api/mesh certs and key PEM files. Anyone that has access to the TRMM server has access to the certs. This is insecure.

The update.sh has the same command.

To Reproduce
Steps to reproduce the behavior:

  1. cd /etc/letsencrypt/keys
  2. ls -la
  3. The key files have o=rx permissions.
-rwxrwxr-x 1 tactical tactical 1.7K Apr  9  2022 0000_key-certbot.pem*
-rwxrwxr-x 1 tactical tactical 1.7K Jul  8 17:28 0001_key-certbot.pem*

Expected behavior
The TLS keys should be readable only by the necessary processes. They should never be world readable.

Screenshots
N/A

Additional context
I'm reporting here because an attacker would need to gain access to the server and redirect DNS. This is extremely unlikely.
@NiceGuyIT
Copy link
Contributor Author

NiceGuyIT commented Oct 9, 2022
edited
Loading

For reference, here's the permissions after deleting /etc/letsencrypt and running certbot.

$ ls -la /etc/letsencrypt/
total 8
drwxr-xr-x  9 root root  108 Oct  9 18:30 .
drwxr-xr-x 72 root root 4096 Oct  9 18:28 ..
drwxr-xr-x  3 root root   42 Oct  9 18:28 accounts
drwx------  3 root root   23 Oct  9 18:30 archive
drwxr-xr-x  2 root root   34 Oct  9 18:30 csr
drwx------  2 root root   34 Oct  9 18:30 keys
drwx------  3 root root   37 Oct  9 18:30 live
drwxr-xr-x  2 root root   28 Oct  9 18:30 renewal
drwxr-xr-x  5 root root   43 Oct  9 18:28 renewal-hooks

$ ls -lad /etc/letsencrypt/*/*
drwxr-xr-x 3 root root   23 Oct  9 18:28 /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org
drwxr-xr-x 2 root root   83 Oct  9 18:30 /etc/letsencrypt/archive/a8n.tools
-rw-r--r-- 1 root root  920 Oct  9 18:30 /etc/letsencrypt/csr/0000_csr-certbot.pem
-rw------- 1 root root 1704 Oct  9 18:30 /etc/letsencrypt/keys/0000_key-certbot.pem
drwxr-xr-x 2 root root   93 Oct  9 18:30 /etc/letsencrypt/live/a8n.tools
-rw-r--r-- 1 root root  740 Oct  9 18:30 /etc/letsencrypt/live/README
-rw-r--r-- 1 root root  542 Oct  9 18:30 /etc/letsencrypt/renewal/a8n.tools.conf
drwxr-xr-x 2 root root    6 Oct  9 18:28 /etc/letsencrypt/renewal-hooks/deploy
drwxr-xr-x 2 root root    6 Oct  9 18:28 /etc/letsencrypt/renewal-hooks/post
drwxr-xr-x 2 root root    6 Oct  9 18:28 /etc/letsencrypt/renewal-hooks/pre

@wh1te909 wh1te909 self-assigned this Oct 14, 2022
@wh1te909
Copy link
Member

thanks! I removed the chmod command not even sure why that was there lol...the perms don't need touching the defaults are good.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wh1te909 wh1te909

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wh1te909 @NiceGuyIT