From 5eb3a9b6c55baf44d3b39ba9988a2d2f5f0219dc Mon Sep 17 00:00:00 2001 From: neil Date: Mon, 15 May 2017 19:42:01 +0800 Subject: [PATCH] Created how about the private key access modes, chmod, or chown or umask ? (markdown) --- ...cess-modes,--chmod,-or-chown-or-umask-?.md | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 how-about-the-private-key-access-modes,--chmod,-or-chown-or-umask-?.md diff --git a/how-about-the-private-key-access-modes,--chmod,-or-chown-or-umask-?.md b/how-about-the-private-key-access-modes,--chmod,-or-chown-or-umask-?.md new file mode 100644 index 0000000..a60a776 --- /dev/null +++ b/how-about-the-private-key-access-modes,--chmod,-or-chown-or-umask-?.md @@ -0,0 +1,24 @@ +# How acme.sh deals with the private key file modes ? + +A short answer is: we deal with the file permission as little as possible. + +A shorter answer is: we almost don't change the file permissions, you set it yourself, and it will keep forever. + +Ok, let me give a longer answer: + +1. By default, the key/cert files are saved in `~/.acme.sh`, this folder is set to mode `700` by default. So, nobody else can read your private key. +2. When you use `--install-cert` command to **copy** the cert to the target locations, we use `cat keyfile > target_key_file` pattern, in which the target file permission is not changed, and you only need **write** permission to the target file. +Yes, if the target file doesn't exist for the first time, it will be created with your default *umask*, which is **umask 022** in most of the unix/linux systems. In this case, somebody else *may* read your private key file. But you can change the file mode manually, `chmod 700 target_key_file`. +The reason why we don't change the file mode is: + 1. `chmod` may have different support crossing different platforms. + 2. We respect the users choice most. We trust you more than ourselves. you can change the file modes manually, you know your system best. We respect your choice. + 3. There may cause problems if running as root, for example, when running as root, and we default to change the mode to `700` for the private key file, the apache server is commonly running as user `www-data`, it can not read your private key. nginx server has the same problem. Which could cause the normal uses confused. + + +So, doing more doesn't mean doing better. Less is more. + + + + + +