Package: dehydrated Version: 0.3.1-2 Severity: wishlist Hi! Currently, dehydrated creates both the parent directories and certs/privkeys it outputs with permissions for root only. This works for daemons that load everything as root (apache, etc) but not for those that drop privileges early (exim, postgres, etc).
As far as I know, the recommended way to do so is adding the daemons to group ssl-cert which is created by some (but not all) ssl key generating packages; those which do make /etc/ssl/private/ readable by that group. I think it'd be a good idea for dehydrated to support this group by default: * directories as root:ssl-cert mode 710 * .pem files as root:ssl-cert mode 640 Meow! -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: x32 (x86_64) Kernel: Linux 3.14.77-vs2.3.6.15-x32 (SMP w/8 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages dehydrated depends on: ii ca-certificates 20161130 ii curl 7.52.1-2 ii openssl 1.1.0d-2 dehydrated recommends no packages. dehydrated suggests no packages. -- no debconf information
