starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-11 22:30:44 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

Feature: privilege separation #332

New Issue
Closed
opened 2025-12-29 01:22:55 +01:00 by adam · 2 comments
adam commented 2025-12-29 01:22:55 +01:00
Owner
Copy Link

Originally created by @intelfx on GitHub (Apr 20, 2018).

The hooks mechanism of dehydrated has a significant usability problem: there is no way to execute hooks with higher privileges than dehydrated itself. For example, I do not want dehydrated to run as root (which I hope is understandable), but I need root privileges to deploy the resulting keys.

Locally, I have worked around this with a sort of "playbook" mechanism: I have a catch-all deployment hook that records all its invocations in a text file and after dehydrated is done, a "real" hook is run that reads the text file and executes recorded actions with elevated privileges.

Can we have something similar in dehydrated? Or at least a kind of internal privilege separation when dehydrated starts as root, forks, then the child process drops privileges, performs network operations and communicates back to the parent when a hook needs to be run.

Originally created by @intelfx on GitHub (Apr 20, 2018). The hooks mechanism of dehydrated has a significant usability problem: there is no way to execute hooks with higher privileges than dehydrated itself. For example, I do not want dehydrated to run as root (which I hope is understandable), but I need root privileges to deploy the resulting keys. Locally, I have worked around this with a sort of "playbook" mechanism: I have a catch-all deployment hook that records all its invocations in a text file and after dehydrated is done, a "real" hook is run that reads the text file and executes recorded actions with elevated privileges. Can we have something similar in dehydrated? Or at least a kind of internal privilege separation when dehydrated starts as root, forks, then the child process drops privileges, performs network operations and communicates back to the parent when a hook needs to be run.
adam closed this issue 2025-12-29 01:22:55 +01:00
adam commented 2025-12-29 01:22:55 +01:00
Author
Owner
Copy Link

@leonklingele commented on GitHub (Apr 20, 2018):

setuid / setgid could help here, although unsupported for scripts.

@leonklingele commented on GitHub (Apr 20, 2018): setuid / setgid could help here, although unsupported for scripts.
adam commented 2025-12-29 01:22:57 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (Apr 20, 2018):

Sorry, but real privilege separation in dehydrated is nothing I'm planning to work on.

Most of the tasks would probably work without any root access:

  • Writing certificate files: Most services start as root anyway, give only dehydrated access to the certificate folder, the service will be able to read the files
  • Restarting/Reloading services: At least systemd has policykit support for giving users access to certain systemctl controls without direct root access (other init systems may have this as well, never tried)
  • DNS hooks and serving of challenge files shouldn't be much of a problem as well
  • For special cases you could always just use sudo in your hook script with special rules allowing only certain commands to be executed as root
@lukas2511 commented on GitHub (Apr 20, 2018): Sorry, but real privilege separation in dehydrated is nothing I'm planning to work on. Most of the tasks would probably work without any root access: - Writing certificate files: Most services start as root anyway, give only dehydrated access to the certificate folder, the service will be able to read the files - Restarting/Reloading services: At least systemd has policykit support for giving users access to certain systemctl controls without direct root access (other init systems may have this as well, never tried) - DNS hooks and serving of challenge files shouldn't be much of a problem as well - For special cases you could always just use sudo in your hook script with special rules allowing only certain commands to be executed as root
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#332
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?