acmetool: private key is world-readable ?

[feld]

After I solved #414, the next step was to run ./scripts/cmdeploy dns

This showed an error indicating it's forcing my private key to be world-readable!

> ./scripts/cmdeploy dns
[ssh] login to chat.example.com
Collecting initial DNS settings............20240924144438 [WARN] fdb: "live/chat.example.com/privkey" has wrong mode -r--r----, changing to -rw-r--r--
20240924144438 [CRITICAL] acmetool: fatal: storage: readlink /var/lib/acme/live/chat.example.com: invalid argument
...
Check expected zone file entries.........................................
Please set required DNS entries at your DNS provider:

(REDACTED)

This is a fairly serious local security violation, please correct this.

[link2xt]

I just looked into /var/lib/acme/keys: the folders there are not executable for anyone except the owner, so nobody except the root can even enter /var/lib/acme/keys/... and read the privkey file there.

[hpk42]

@feld do you think it's still worthwhile to ensure non- world readability? We can probably fix it but not sure it's worth it. If someone can get to the dir then they can probably also read the file whatever the mode?

[feld]

/var/lib/acme/keys

that's not where the private key for the certificate is stored; it's /var/lib/acme/live/DOMAIN/privkey

I believe /var/lib/acme/keys are the keys for your acme account(s). So last I checked privkey was world-readable, but I'm not using acmetool at the moment. I'll need to deploy chatmail with cmdeploy on a fresh server to verify.

[link2xt]

privkey is a symlink into keys:

-rw-r--r--  1 root root 1.9K Oct 30 17:29 cert
-rw-r--r--  1 root root 1.8K Oct 30 17:29 chain
-rw-r--r--  1 root root 3.6K Oct 30 17:29 fullchain
lrwxrwxrwx  1 root root   71 Oct 30 17:29 privkey -> ../../keys/w5m222ayywca6jnwl43gqnnh4ecgkq6v4ixpbvvogu36zeey6uzq/privkey

This is how it is on a recently redeployed server, I switched into postfix user:

postfix@c2-new:/var/lib/acme/live/c2.testrun.org$ less privkey
privkey: Permission denied