From 63135be7c243a540c5a8bb096416875c74b4f182 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 6 Nov 2015 19:36:22 -0800 Subject: [PATCH] Downgrade a very excitable security comment to an XXX Resolves: #1400 Also note that this function will need to become more sophisticated as we support autoupdating of config options (eg those changed in #1390) --- .../letsencrypt_apache/configurator.py | 20 ++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/letsencrypt-apache/letsencrypt_apache/configurator.py b/letsencrypt-apache/letsencrypt_apache/configurator.py index d376fe4b6..603a792d2 100644 --- a/letsencrypt-apache/letsencrypt_apache/configurator.py +++ b/letsencrypt-apache/letsencrypt_apache/configurator.py @@ -162,7 +162,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): # Get all of the available vhosts self.vhosts = self.get_virtual_hosts() - temp_install(self.mod_ssl_conf) + install_ssl_options_conf(self.mod_ssl_conf) def deploy_cert(self, domain, cert_path, key_path, chain_path=None, fullchain_path=None): # pylint: disable=unused-argument @@ -1249,12 +1249,18 @@ def get_file_path(vhost_path): return avail_fp -def temp_install(options_ssl): - """Temporary install for convenience.""" - # WARNING: THIS IS A POTENTIAL SECURITY VULNERABILITY - # THIS SHOULD BE HANDLED BY THE PACKAGE MANAGER - # AND TAKEN OUT BEFORE RELEASE, INSTEAD - # SHOWING A NICE ERROR MESSAGE ABOUT THE PROBLEM. +def install_ssl_options_conf(options_ssl): + """ + Copy Let's Encrypt's SSL options file into the system's config dir if + required. + """ + # XXX if we ever try to enforce a local privilege boundary (eg, running + # letsencrypt for unprivileged users via setuid), this function will need + # to be modified. + + # XXX if the user is in security-autoupdate mode, we should be willing to + # overwrite the options_ssl file at least if it's unmodified: + # https://github.com/letsencrypt/letsencrypt/issues/1123 # Check to make sure options-ssl.conf is installed if not os.path.isfile(options_ssl):