starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-13 15:13:33 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

[PR #467] [CLOSED] openssl: do not use -out when generating private keys #845

New Issue
Closed
opened 2025-12-29 01:29:37 +01:00 by adam · 0 comments
adam commented 2025-12-29 01:29:37 +01:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/dehydrated-io/dehydrated/pull/467
Author: @intelfx
Created: 1/20/2018
Status: Closed

Base: masterHead: genrsa-fix-acls

📝 Commits (1)

  • 55256be openssl: do not use -out when generating private keys

📊 Changes

1 file changed (+21 additions, -5 deletions)

View changed files

📝 dehydrated (+21 -5)

📄 Description

openssl genrsa and openssl ecparam -genkey tend to chmod the output
file to make the private key unreadable by group and others. This breaks
a workflow where admin uses POSIX ACLs to manage keys' access rights,
because POSIX ACLs reuse group permissions for the "ACL mask", hence
forcing group permissions to 0 with plain chmod() masks away all
extended ACLs.

By redirecting genrsa output from stdout we avoid this behavior while
staying secure even if ACLs are not used because we explicitly set
umask 077 in the beginning of the script.

Example of the broken behavior:

# pwd                 
/etc/admin/certs/intelfx.name

# getfacl .
# file: .
# owner: letsencrypt
# group: letsencrypt
user::rwx
group::---
group:http-cert:r-x
mask::r-x
other::---
default:user::rwx
default:group::---
default:group:http-cert:r-x
default:mask::r-x
default:other::---

# getfacl cert.pem
# file: cert.pem
# owner: letsencrypt
# group: letsencrypt
user::rw-
group::---
group:http-cert:r--
mask::r--
other::---

# getfacl privkey.pem           
# file: privkey.pem
# owner: letsencrypt
# group: letsencrypt
user::rw-
group::---
group:http-cert:r--             #effective:---
mask::---
other::---

Here I run dehydrated as letsencrypt:letsencrypt and use group http-cert for all applications that need access to the certificates and the private key. The output directory is modified as follows:

setfacl -m u::rwX,g::0,o::0 -m g:http-cert:rX .
setfacl -d -m u::rwX,g::0,o::0 -m g:http-cert:rX .

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/dehydrated-io/dehydrated/pull/467 **Author:** [@intelfx](https://github.com/intelfx) **Created:** 1/20/2018 **Status:** ❌ Closed **Base:** `master` ← **Head:** `genrsa-fix-acls` --- ### 📝 Commits (1) - [`55256be`](https://github.com/dehydrated-io/dehydrated/commit/55256be1c56ec32908a9244090f9ae87a24df76c) openssl: do not use -out when generating private keys ### 📊 Changes **1 file changed** (+21 additions, -5 deletions) <details> <summary>View changed files</summary> 📝 `dehydrated` (+21 -5) </details> ### 📄 Description `openssl genrsa` and `openssl ecparam -genkey` tend to chmod the output file to make the private key unreadable by group and others. This breaks a workflow where admin uses POSIX ACLs to manage keys' access rights, because POSIX ACLs reuse group permissions for the "ACL mask", hence forcing group permissions to 0 with plain chmod() masks away all extended ACLs. By redirecting genrsa output from stdout we avoid this behavior while staying secure even if ACLs are not used because we explicitly set `umask 077` in the beginning of the script. Example of the broken behavior: ``` # pwd /etc/admin/certs/intelfx.name # getfacl . # file: . # owner: letsencrypt # group: letsencrypt user::rwx group::--- group:http-cert:r-x mask::r-x other::--- default:user::rwx default:group::--- default:group:http-cert:r-x default:mask::r-x default:other::--- # getfacl cert.pem # file: cert.pem # owner: letsencrypt # group: letsencrypt user::rw- group::--- group:http-cert:r-- mask::r-- other::--- # getfacl privkey.pem # file: privkey.pem # owner: letsencrypt # group: letsencrypt user::rw- group::--- group:http-cert:r-- #effective:--- mask::--- other::--- ``` Here I run dehydrated as `letsencrypt:letsencrypt` and use group `http-cert` for all applications that need access to the certificates and the private key. The output directory is modified as follows: ``` setfacl -m u::rwX,g::0,o::0 -m g:http-cert:rX . setfacl -d -m u::rwX,g::0,o::0 -m g:http-cert:rX . ``` --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
adam added the pull-request label 2025-12-29 01:29:37 +01:00
adam closed this issue 2025-12-29 01:29:37 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#845
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?