From: Lloyd Subject: lack of privsep in acme-client(1) - thoughts? To: tech Date: Tue, 16 Dec 2025 07:33:42 +0000 One of my biggest issues with acme-client(1) - which does string parsing of untrusted input from the network - is shown below: if (getuid() != 0) errx(EXIT_FAILURE, "must be run as root"); AFAIK there is no justified need to run acme-client child processes as root, and it could fare better with a dedicated user and some tidying up of file locations. I think it's one of the few utilities in base that does not do this. I'm willing to code up some basic privsep but am unsure of the logistics. Ideally the following would need to happen: 1. A new UID/GID _acme/_acme are created (how are they checked out)? 2. /var/www/acme should be set to 0775 root:_acme 3. /etc/acme should be set to 0770 root:_acme 4. Certificate storage - needs to be writable - create /etc/ssl/acme and /etc/ssl/acme/private - or leave this up to the user? Needs to be writable by _acme user/group - keys should be protected. There may be some breakage as this feature is introduced, but I feel that is far less worse than letting it to continue to run as root. Regards Lloyd