-
Notifications
You must be signed in to change notification settings - Fork 129
/
perm.example
63 lines (63 loc) · 2.47 KB
/
perm.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# In some rare cases it can be necessary to override the permissions that
# acmetool sets on files. You can override those permissions using the
# permissions configuration file, which should be placed at
# $ACME_STATE_DIR/conf/perm. This is an example of such a file. You should be
# very careful when using this file, and only include the minimum changes that
# you need to make.
#
# Each line has the following syntax:
# path-pattern file-mode dir-mode [uid gid]
#
# For example:
# keys 0640 0750
# or
# keys 0640 0750 root exim
#
# If you specify a UID, you must also specify a GID and vice versa.
# UIDs and GIDs can be specified numerically, and on some platforms
# they may also be specifiable as names.
#
# The special UID/GID value "$r" means the current UID/GID of the running
# acmetool process; you can use this to ensure that the file UID/GID is
# enforced to the user which acmetool runs as.
#
# Not specifying UID/GID values, or specifying both as "-", means that acmetool
# will not pay attention to file ownership. Files will be created with their
# "natural" owner (i.e., the UID/GID under which acmetool is running).
#
# Mode enforcement cannot be disabled.
#
# Nothing acmetool does should affect POSIX ACLs, if you wish to use them.
#
# A path-pattern is a glob pattern. Specifying the same path-pattern as a built
# in permissions rule overrides that rule. You cannot place two entries for
# the same path-pattern in this file. acmetool uses the longest matching pattern
# when deciding what rule to use when enforcing permissions.
#
# The default rules are shown below:
#
# . 0644 0750 # Default for anything without a longer match
# accounts 0600 0700
# desired 0644 0755
# live 0644 0755
# certs 0644 0755
# certs/*/haproxy 0600 0700 # Support for the HAProxy extension; contains private keys
# keys 0600 0700
# conf 0644 0755
# tmp 0600 0700 # Do NOT change this
#
# If you wish to disable a path-pattern rule allowing policy to be inherited
# from a shorter match, you can do this using the special keyword 'inherit':
#
# path-pattern inherit
#
# For example, maybe you want to make the whole directory restricted:
# . 0600 0700
# accounts inherit
# certs inherit
# conf inherit
# desired inherit
# keys inherit
#
# Again, you should rarely ever need to use this file. When you use this file,
# add only the entries that you absolutely need.