From: Stuart Henderson Subject: Re: lack of privsep in acme-client(1) - thoughts? To: Lloyd Cc: tech Date: Tue, 16 Dec 2025 11:29:43 +0000 On 2025/12/16 07:33, Lloyd wrote: > One of my biggest issues with acme-client(1) - which does string parsing > of untrusted input from the network - is shown below: > > if (getuid() != 0) > errx(EXIT_FAILURE, "must be run as root"); > > AFAIK there is no justified need to run acme-client child processes as > root, and it could fare better with a dedicated user and some tidying up > of file locations. > > I think it's one of the few utilities in base that does not do this. acme-client is one of the few utilities in base that was written to use pledge from very early on. the 'portable' version of acme-client (which was archived in 2018 and I don't think is usable any more) switched uid but the pledges in the subprocesses are so strong that IIRC this wasn't deemed necessary to keep. most subprocs have pledge "stdio" so are extremely restricted (i'm not 100% certain but i think the remaining allowed syscalls are ones which don't need to check privs anyway) the others are chngproc; "stdio cpath wpath" in challenge dir only dnsproc; r access to files involved in dns resolution fileproc; "stdio cpath wpath rpath fattr" restricted to certdir only netproc; r access to /etc/ssl/cert.pem, revoked after connecting it doesn't seem like dropping root will actually help improve security? > I'm willing to code up some basic privsep but am unsure of the logistics. > > Ideally the following would need to happen: > > 1. A new UID/GID _acme/_acme are created (how are they checked out)? > > 2. /var/www/acme should be set to 0775 root:_acme > > 3. /etc/acme should be set to 0770 root:_acme > > 4. Certificate storage - needs to be writable - create /etc/ssl/acme > and /etc/ssl/acme/private - or leave this up to the user? Needs to > be writable by _acme user/group - keys should be protected. those changes would make it a lot more awkward for some use-cases. for example, if you have various daemons running as different uids that need access to keys then you either need to create separate groups for each of them + _acme, and then _acme will be in many supplemental groups and you can bump into NGROUPS_MAX fairly easily.