Mailing List Archive

From:: "Theo de Raadt" <deraadt@openbsd.org>
Subject:: Re: lack of privsep in acme-client(1) - thoughts?
To:: Lloyd <ng2d68@proton.me>, tech <tech@openbsd.org>
Date:: Tue, 16 Dec 2025 09:26:41 -0700

Download raw body.

Thread

- 2025-12-16 08:52 Otto Moerbeek:
  lack of privsep in acme-client(1) - thoughts?
2025-12-16 11:29 Stuart Henderson:
lack of privsep in acme-client(1) - thoughts?
- 2025-12-16 16:26 Theo de Raadt:
  lack of privsep in acme-client(1) - thoughts?

Stuart Henderson <stu@spacehopper.org> wrote:

> > 4. Certificate storage - needs to be writable - create /etc/ssl/acme
> >    and /etc/ssl/acme/private - or leave this up to the user? Needs to
> >    be writable by _acme user/group - keys should be protected.
> 
> those changes would make it a lot more awkward for some use-cases.
> 
> for example, if you have various daemons running as different uids that
> need access to keys then you either need to create separate groups for
> each of them + _acme, and then _acme will be in many supplemental groups
> and you can bump into NGROUPS_MAX fairly easily.

That allows a non-root user to create files in the / partition, which we
seperated out intentionally.  Now they can potentially fill it.

- 2025-12-16 08:52 Otto Moerbeek:
  lack of privsep in acme-client(1) - thoughts?
2025-12-16 11:29 Stuart Henderson:
lack of privsep in acme-client(1) - thoughts?
- 2025-12-16 16:26 Theo de Raadt:
  lack of privsep in acme-client(1) - thoughts?