Package: acmetool Version: 0.0.59-1+b1 Severity: wishlist There is a bit of a convention, created by the "ssl-cert" package AFAICT, that private keys are owned by the group "ssl-cert". This allows packages to not run as root but still have use the certs.
It also allows for processes to drop privileges and still have access if they do a "reload". The way the "ssl-cert" package does it is that it has a "postinst" script that create the group if it doesn't already exist: # Create the ssl-cert system group for snakeoil ownership: if ! getent group ssl-cert >/dev/null; then addgroup --quiet --system --force-badname ssl-cert fi https://anonscm.debian.org/cgit/pkg-apache/ssl-cert.git/tree/debian/postinst For "acmetool" it may need to be a "preinst" script so newly created dirs can be chgrp'd properly. That would mean that "/var/lib/acme/keys/" would be owned by "ssl-cert" group and be have the set-GID bit on so new sub-dirs (and files with-in them) have correct ownership. The umask would probably also have to change from 077 to 027. -- System Information: Debian Release: 8.9 APT prefers oldstable APT policy: (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages acmetool depends on: ii init-system-helpers 1.22 ii libc6 2.19-18+deb8u10 ii libcap2 1:2.24-8 Versions of packages acmetool recommends: pn dialog <none> acmetool suggests no packages. -- no debconf information _______________________________________________ Letsencrypt-devel mailing list Letsencrypt-devel@lists.alioth.debian.org https://lists.alioth.debian.org/mailman/listinfo/letsencrypt-devel