Explicitly set ownership to nginx for certs created by ssl Certificate() #117
Conversation
|
@zagy Could you please check, if this is the correct fix? I want to be sure, that I understood the problem correctly ;) |
|
It sure looks like it does the right thing. |
src/batou_ext/ssl.py
Outdated
| @@ -248,6 +248,7 @@ def update(self): | |||
| -out {{component.fullchain}} | |||
| """ | |||
| ) | |||
| self.cmd("setfacl -Rm u:nginx:rX {{componet.key.dir}}") | |||
There was a problem hiding this comment.
Double check https://github.com/flyingcircusio/batou_ext/blob/master/src/batou_ext/acl.py#LL7C22-L7C22 whether useful
There was a problem hiding this comment.
Unfortunately it only works for files, not folders.
|
There is a problem, if the cert directory is in a sub directory of directory with missing permissions for nginx. |
nichmoe
force-pushed
the
FC-30497-Add-acl-to-nginx-to-ssl-Certificate
branch
3 times, most recently
from
4fcbbb2 to
cc9aed3
Compare
|
Works not for Debian e.a (User www-data for Nginx). Worth making the user configurable? |
nichmoe
force-pushed
the
FC-30497-Add-acl-to-nginx-to-ssl-Certificate
branch
from
cc9aed3 to
c49bdd1
Compare
src/batou_ext/ssl.py
Outdated
| @@ -102,6 +102,8 @@ class Certificate(batou.component.Component): | |||
| # You will need something like nrpehost or sensuchecks on the host | |||
| enable_check = batou.component.Attribute("literal", default=True) | |||
|
|
|||
| cert_owner = batou.component.Attribute(str, default="nginx") | |||
There was a problem hiding this comment.
I really like to rename the variable. I'm aware of that it makes sense, but we are allowing access to the cert to the user Nginx (or other applications) are running in. Hence I think something like granted_user or whatever (not having a good idea though ;)) would be a better name.
nichmoe
force-pushed
the
FC-30497-Add-acl-to-nginx-to-ssl-Certificate
branch
from
c49bdd1 to
cf6d736
Compare
When the service user places the cert, the cert is owned by it. If Nginx runs as root, this doesn't create any problems. But if Nginx runs as a separate user, it may be denied access to the cert.
This change sets the ownership of the created certs to
nginx, to fix this problem.