Page MenuHomeFreeBSD
Differential D9103

security/acme-client: use a dedicated unprivileged user/group
ClosedPublic
Actions

Authored by tgyurci_gmail.com on Jan 9 2017, 3:43 PM.
Tags
None
Referenced Files
Unknown Object (File)
Feb 29 2024, 2:54 AM
Unknown Object (File)
Jan 9 2024, 8:40 AM
Unknown Object (File)
Nov 19 2023, 2:25 AM
Unknown Object (File)
Nov 19 2023, 2:13 AM
Unknown Object (File)
Nov 19 2023, 1:59 AM
Unknown Object (File)
Oct 11 2023, 6:51 PM
Unknown Object (File)
Sep 25 2023, 11:11 AM
Unknown Object (File)
Sep 4 2023, 6:17 AM
View All 23 Files
Subscribers
mat
Contributor Reviewers (ports)

Details

Reviewers
brnrd
mat

Diff Detail

Repository
rP FreeBSD ports repository
Lint
No Lint Coverage
Unit
No Test Coverage
Build Status
Buildable 6663
Build 6881: arc lint + arc unit

Event Timeline

tgyurci_gmail.com updated this revision to Diff 23777.Jan 9 2017, 3:43 PM
tgyurci_gmail.com retitled this revision from to security/acme-client: use a dedicated unprivileged user/group.
tgyurci_gmail.com updated this object.
tgyurci_gmail.com edited the test plan for this revision. (Show Details)
Herald added subscribers: Contributor Reviewers (ports), mat. ยท View Herald TranscriptJan 9 2017, 3:43 PM
tgyurci_gmail.com added a reviewer: brnrd.Jan 9 2017, 3:45 PM
tgyurci_gmail.com updated this revision to Diff 23778.Jan 9 2017, 3:59 PM

Bump PORTREVISION

tgyurci_gmail.com added a reviewer: mat.Jan 10 2017, 9:49 PM
brnrd added a comment.Feb 25 2018, 3:49 PM

Sorry to leave this laying around for so long...

The whole premise of acme-client is that it runs as root but drops privileges for any operation that doesn't require root.
Check the documentation on https://kristaps.bsd.lv/acme-client/

Your change only changes the user that root drops privs to. I don't see any value in that, am I missing something?

tgyurci_gmail.com added a comment.Feb 25 2018, 4:15 PM

The rationale is that it does not use the "shared" nobody. I have disabled outgoing network traffic on my server, and having a separate user for acme-client allows to whitelist that user and therefore that "service" only.

brnrd added a comment.Feb 25 2018, 8:12 PM
In D9103#304138, @tgyurci_gmail.com wrote:

The rationale is that it does not use the "shared" nobody. I have disabled outgoing network traffic on my server, and having a separate user for acme-client allows to whitelist that user and therefore that "service" only.

Understood. Do you already have this running on your systems?
It will take me a while before I have certs that need to renew ๐Ÿ˜„

tgyurci_gmail.com added a comment.Feb 25 2018, 8:36 PM

I do not run it in production, but I have tested it, and worked well.

brnrd accepted this revision.Mar 10 2018, 6:28 PM

Dang. Forgot to do the "complete link" to review in the commit...

This revision is now accepted and ready to land.Mar 10 2018, 6:28 PM
brnrd closed this revision.Apr 8 2018, 12:38 PM

Revision Contents
Changeset List

PathSize
2 lines
2 lines
security/
acme-client/
8 lines

Diff 23778

View Options

GIDs

Loading...
View Options

UIDs

Loading...
View Options

security/acme-client/Makefile

Loading...