Mailing List Archive

From:: Lloyd <ng2d68@proton.me>
Subject:: Re: lack of privsep in acme-client(1) - thoughts?
To:: Janne Johansson <icepic.dz@gmail.com>
Cc:: tech <tech@openbsd.org>
Date:: Tue, 16 Dec 2025 08:48:00 +0000

Download raw body.

Thread

2025-12-16 07:33 Lloyd:
lack of privsep in acme-client(1) - thoughts?
- 2025-12-16 07:44 Janne Johansson:
  lack of privsep in acme-client(1) - thoughts?
- - 2025-12-16 08:48 Lloyd:
    lack of privsep in acme-client(1) - thoughts?
  - 2025-12-16 08:52 Otto Moerbeek:
    lack of privsep in acme-client(1) - thoughts?
- 2025-12-16 11:29 Stuart Henderson:
  lack of privsep in acme-client(1) - thoughts?

Janne Johansson wrote:

> Did you read https://kristaps.bsd.lv/acme-client/ to see how the
> different parts are protected and use whatever privs they need and
> nothing more?

Thanks for the link. I do understand pledge() and unveil() are used;
however, does that obviate any need to run it as a non-root user?

It appears the original author intended for certificates to be stored
under /etc/ssl/acme and keys under /etc/ssl/acme/private but this
requirement (and any indication of such intent) was dropped at some
point.

Regards
Lloyd

2025-12-16 07:33 Lloyd:
lack of privsep in acme-client(1) - thoughts?
- 2025-12-16 07:44 Janne Johansson:
  lack of privsep in acme-client(1) - thoughts?
- - 2025-12-16 08:48 Lloyd:
    lack of privsep in acme-client(1) - thoughts?
  - 2025-12-16 08:52 Otto Moerbeek:
    lack of privsep in acme-client(1) - thoughts?
- 2025-12-16 11:29 Stuart Henderson:
  lack of privsep in acme-client(1) - thoughts?