Hi Enrico, On Tue, Jan 17, 2017 at 3:59 PM, Enrico Zini <enr...@debian.org> wrote: > > Currently prosody is added to group ssl-cert so it can read the snakeoil > private certificate. > > I don't know why should prosody need to use the snakeoil certificate at all > now > that we have letsencrypt (see #767741); however I am rather uneasy at the idea > that my XMPP server can access whatever is in /etc/ssl/private.
As far as I can see, there's quite a number of packages which use the snakeoil certificate: t% apt-cache rdepends ssl-cert ssl-cert Reverse Depends: cups-daemon yaws xrdp vsftpd tryton-server squidclient prosody prayer postgresql-common postgresql-10 postfix ocserv nrpe-ng node-rai nginx-common kopano-webapp-common keystone janus freeradius-config freedombox-setup filetea dovecot-core dkimproxy debian-edu-config apache2 cipux-rpcd calendarserver I haven't checked all of them, but some of them definitely do the same: they add themselves to the ssl-cert group to have access to the certificate private key. (for example postgresql-10). So this looks like common practice. As for letsencrypt, I agree that noone should use the snakeoil certificate in production, but it's a bit hard to require correctly set up letsencrypt infrastructure during prosody's install. Snakeoil certificate is an example dummy one essentially. > > Since snakeoil certificates are symlinked into /etc/prosody/certs anyway, > would > it be possible, instead of adding prosody to the group ssl-cert, to copy the > snakeoil certificates in /etc/prosody/certs during postinst, and set their > permissions to be read by prosody? > > That way prosody could access the snakeoil certificates only. It's definitely possible, but if you don't like random packages to read your certificates, I would suggest you to keep their keys out of /etc/ssl/private. Cheers! -- Sergei Golovan
