SSL Client Auth Cert/Key issue with newer APT
Hello!
First off: I'm not sure if this counts as a bug (we feel it kinda does),
but I don't know which bug tracker to submit this to, if any.
So if anyone could point me there instead, that's fine too :)
We run our own private package repository for our servers that hosts
custom packages that we build for ourselves.
This repository is protected with SSL client certificate authentication.
The client and CA certificates are stored in /etc/ssl/certs/, and the
key in /etc/ssl/private.
This works fine in earlier Debian and Ubuntu versions, but with Ubuntu
16.04 and Debian stretch, it no longer does.
apt-get now drops privileges to the user _apt, which has no access to
/etc/ssl/private.
Now:
1) If we would change permissions of /etc/ssl/private, it would open up
the directory/files to others as well.
2) We could add _apt to a group and fix permissions for that group, but
it'd still be changing a system user we'd prefer not to.
3) Moving the certificates to -for example- /etc/apt/ssl/ would open up
a similar problem as point 1: Giving a non-privileged user,_apt, access
to the private keys.
We believe that apt-get should read the private keys and certs /before/
dropping privileges.
We also realise that we're probably one of the very few that both run a
private repository ánd use SSL client auth certs.
Kind regards,
Daniël Mostertman
XS4ALL Internet bv.
Reply to: