Package: certbot
Version: 0.10.2-1
Severity: serious
Tags: security
Justification: 5.b
Dear Maintainer,
certbot.service is configured to be executed with root privileges.
This leads to a potential attack vector while renewing certificates,
especially when using the 'standalone' authenticator.
For most setups it should be sufficient to run 'certbot --renew' as
an unprivileged user 'certbot'. This would require the following changes in the
default setup:
- /etc/letsencrypt and /var/letsencrypt must be owned and writable by
'certbot'
- for standalone authenticator, the default port has to be changed to an
unprivileged one (e.g. 8080).
- for webroot authenticator, a seperate directory for the acme challenge
owned and writable by 'certbot' must be created (e.g.
/etc/letsencrypt/acme-challenge) and an Apache rewrite rule must
redirect requests to this directory:
RewriteRule ^/(\.well-known/acme-challenge/.*)$ \
/etc/letsencrypt/acme-challenge$1 [L]
<Directory /etc/letsencrypt/acme-challenge>
AllowOverride none
Require all granted
</Directory>
For nginx, a similar configuration would be required.
-- System Information:
Debian Release: 9.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages certbot depends on:
ii init-system-helpers 1.48
ii python 2.7.13-2
ii python-certbot 0.10.2-1
certbot recommends no packages.
Versions of packages certbot suggests:
pn python-certbot-apache <none>
pn python-certbot-doc <none>
-- no debconf information
