[PR #244] [CLOSED] Make umask a bit less paranoid #767

New Issue

Closed

opened 2025-12-29 01:29:03 +01:00 by adam · 0 comments

adam commented 2025-12-29 01:29:03 +01:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/dehydrated-io/dehydrated/pull/244
Author: @Stummi
Created: 7/20/2016
Status: ❌ Closed

Base: master ← Head: patch-1

---

📝 Commits (1)

• f58d3f5 Make umask a bit less paranoid

📊 Changes

1 file changed (+1 additions, -1 deletions)

View changed files

📝 letsencrypt.sh (+1 -1)

📄 Description

While I understand the idea behind the 077 umask, I think its kinda problematic: Most of my service are running as their own user, and some of them seem to try to read the file after dropping the privileges, which is not possible with the files having 600 as access mask. I don't want to run all these application as lets-encrypt user or as root, and I think the most sensitive solution is to set the files group-readable.

Since on most modern Distributions a user belongs to his own distinct group this change is not a dangerous escalation, but this way I can add the users which needs to access the private keys to the lets-encrypt usergroup.

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dehydrated-io/dehydrated/pull/244 **Author:** [@Stummi](https://github.com/Stummi) **Created:** 7/20/2016 **Status:** ❌ Closed **Base:** `master` ← **Head:** `patch-1` --- ### 📝 Commits (1) - [`f58d3f5`](https://github.com/dehydrated-io/dehydrated/commit/f58d3f5fb2d42047a59d62ae37bac0f52b7229b2) Make umask a bit less paranoid ### 📊 Changes **1 file changed** (+1 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `letsencrypt.sh` (+1 -1) </details> ### 📄 Description While I understand the idea behind the 077 umask, I think its kinda problematic: Most of my service are running as their own user, and some of them seem to try to read the file after dropping the privileges, which is not possible with the files having 600 as access mask. I don't want to run all these application as lets-encrypt user or as root, and I think the most sensitive solution is to set the files group-readable. Since on most modern Distributions a user belongs to his own distinct group this change is not a dangerous escalation, but this way I can add the users which needs to access the private keys to the lets-encrypt usergroup. --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

adam added the pull-request label 2025-12-29 01:29:03 +01:00

adam closed this issue 2025-12-29 01:29:03 +01:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

sudo-env

testing

rfc8738

jsonsh

v0.7.2

v0.7.1

v0.7.0

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

v0.4.0

v0.3.1

v0.3.0

v0.2.0

v0.1.0

Labels

Clear labels

Complicated

bug

enhancement

help wanted

pull-request

Mirrored from GitHub Pull Request

suggestions wanted

testing

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/dehydrated#767