From: "Theo de Raadt" <deraadt@openbsd.org>
Subject: Re: lack of privsep in acme-client(1) - thoughts?
To: Lloyd <ng2d68@proton.me>, tech <tech@openbsd.org>
Date: Tue, 16 Dec 2025 09:26:41 -0700

Stuart Henderson <stu@spacehopper.org> wrote:

> > 4. Certificate storage - needs to be writable - create /etc/ssl/acme
> >    and /etc/ssl/acme/private - or leave this up to the user? Needs to
> >    be writable by _acme user/group - keys should be protected.
> 
> those changes would make it a lot more awkward for some use-cases.
> 
> for example, if you have various daemons running as different uids that
> need access to keys then you either need to create separate groups for
> each of them + _acme, and then _acme will be in many supplemental groups
> and you can bump into NGROUPS_MAX fairly easily.

That allows a non-root user to create files in the / partition, which we
seperated out intentionally.  Now they can potentially fill it.