From 63135be7c243a540c5a8bb096416875c74b4f182 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 6 Nov 2015 19:36:22 -0800 Subject: [PATCH 1/2] Downgrade a very excitable security comment to an XXX Resolves: #1400 Also note that this function will need to become more sophisticated as we support autoupdating of config options (eg those changed in #1390) --- .../letsencrypt_apache/configurator.py | 20 ++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/letsencrypt-apache/letsencrypt_apache/configurator.py b/letsencrypt-apache/letsencrypt_apache/configurator.py index d376fe4b6..603a792d2 100644 --- a/letsencrypt-apache/letsencrypt_apache/configurator.py +++ b/letsencrypt-apache/letsencrypt_apache/configurator.py @@ -162,7 +162,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): # Get all of the available vhosts self.vhosts = self.get_virtual_hosts() - temp_install(self.mod_ssl_conf) + install_ssl_options_conf(self.mod_ssl_conf) def deploy_cert(self, domain, cert_path, key_path, chain_path=None, fullchain_path=None): # pylint: disable=unused-argument @@ -1249,12 +1249,18 @@ def get_file_path(vhost_path): return avail_fp -def temp_install(options_ssl): - """Temporary install for convenience.""" - # WARNING: THIS IS A POTENTIAL SECURITY VULNERABILITY - # THIS SHOULD BE HANDLED BY THE PACKAGE MANAGER - # AND TAKEN OUT BEFORE RELEASE, INSTEAD - # SHOWING A NICE ERROR MESSAGE ABOUT THE PROBLEM. +def install_ssl_options_conf(options_ssl): + """ + Copy Let's Encrypt's SSL options file into the system's config dir if + required. + """ + # XXX if we ever try to enforce a local privilege boundary (eg, running + # letsencrypt for unprivileged users via setuid), this function will need + # to be modified. + + # XXX if the user is in security-autoupdate mode, we should be willing to + # overwrite the options_ssl file at least if it's unmodified: + # https://github.com/letsencrypt/letsencrypt/issues/1123 # Check to make sure options-ssl.conf is installed if not os.path.isfile(options_ssl): From a6a00c108b22e0dfef19b3f8cb053e867622ad4e Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Sat, 7 Nov 2015 03:01:33 -0800 Subject: [PATCH 2/2] Update test to reflect name change. --- .../letsencrypt_apache/tests/configurator_test.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/letsencrypt-apache/letsencrypt_apache/tests/configurator_test.py b/letsencrypt-apache/letsencrypt_apache/tests/configurator_test.py index 7c2137c45..70825167a 100644 --- a/letsencrypt-apache/letsencrypt_apache/tests/configurator_test.py +++ b/letsencrypt-apache/letsencrypt_apache/tests/configurator_test.py @@ -492,10 +492,10 @@ class TwoVhost80Test(util.ApacheTest): def test_get_chall_pref(self): self.assertTrue(isinstance(self.config.get_chall_pref(""), list)) - def test_temp_install(self): - from letsencrypt_apache.configurator import temp_install + def test_install_ssl_options_conf(self): + from letsencrypt_apache.configurator import install_ssl_options_conf path = os.path.join(self.work_dir, "test_it") - temp_install(path) + install_ssl_options_conf(path) self.assertTrue(os.path.isfile(path)) # TEST ENHANCEMENTS