[GH-ISSUE #1307] Insecure permissions for /etc/letsencrypt #2755

New issue

Closed

opened 2026-03-14 05:22:53 +03:00 by kerem · 2 comments

kerem commented 2026-03-14 05:22:53 +03:00

Owner

Copy link

Originally created by @NiceGuyIT on GitHub (Oct 9, 2022).
Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/1307

Originally assigned to: @wh1te909 on GitHub.

Server Info (please complete the following information):

• OS: Ubuntu 20.04.4 LTS
• Browser: Firefox 103.0.2 (64-bit)
• RMM Version (as shown in top left of web UI): v0.15.0

Installation Method:

• Standard
• Docker

Agent Info (please complete the following information):

• Agent version (as shown in the 'Summary' tab of the agent from web UI): N/A
• Agent OS: N/A

Describe the bug
Line 171 of the install.sh script changes permissions of /etc/letsencrypt to allow everyone read access to the rmm/api/mesh certs and key PEM files. Anyone that has access to the TRMM server has access to the certs. This is insecure.

The update.sh has the same command.

To Reproduce
Steps to reproduce the behavior:

1. cd /etc/letsencrypt/keys
2. ls -la
3. The key files have o=rx permissions.

-rwxrwxr-x 1 tactical tactical 1.7K Apr  9  2022 0000_key-certbot.pem*
-rwxrwxr-x 1 tactical tactical 1.7K Jul  8 17:28 0001_key-certbot.pem*

Expected behavior
The TLS keys should be readable only by the necessary processes. They should never be world readable.

Screenshots
N/A

Additional context
I'm reporting here because an attacker would need to gain access to the server and redirect DNS. This is extremely unlikely.

Originally created by @NiceGuyIT on GitHub (Oct 9, 2022). Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/1307 Originally assigned to: @wh1te909 on GitHub. **Server Info (please complete the following information):** - OS: Ubuntu 20.04.4 LTS - Browser: Firefox 103.0.2 (64-bit) - RMM Version (as shown in top left of web UI): v0.15.0 **Installation Method:** - [X] Standard - [ ] Docker **Agent Info (please complete the following information):** - Agent version (as shown in the 'Summary' tab of the agent from web UI): N/A - Agent OS: N/A **Describe the bug** Line 171 of the [install.sh](https://github.com/amidaware/tacticalrmm/blob/65ab14e68b6d370afc5c714ea57975d1555c90f1/install.sh#L171) script changes permissions of `/etc/letsencrypt` to allow everyone read access to the rmm/api/mesh certs **and key** PEM files. Anyone that has access to the TRMM server has access to the certs. This is insecure. The [update.sh](https://github.com/amidaware/tacticalrmm/blob/develop/update.sh#L337) has the same command. **To Reproduce** Steps to reproduce the behavior: 1. `cd /etc/letsencrypt/keys` 2. `ls -la` 3. The key files have `o=rx` permissions. ```text -rwxrwxr-x 1 tactical tactical 1.7K Apr 9 2022 0000_key-certbot.pem* -rwxrwxr-x 1 tactical tactical 1.7K Jul 8 17:28 0001_key-certbot.pem* ``` **Expected behavior** The TLS keys should be readable only by the necessary processes. They should never be world readable. **Screenshots** N/A **Additional context** I'm reporting here because an attacker would need to gain access to the server and redirect DNS. This is extremely unlikely.

kerem closed this issue 2026-03-14 05:22:58 +03:00

kerem commented 2026-03-14 05:23:04 +03:00

Author

Owner

Copy link

@NiceGuyIT commented on GitHub (Oct 9, 2022):

For reference, here's the permissions after deleting /etc/letsencrypt and running certbot.

$ ls -la /etc/letsencrypt/
total 8
drwxr-xr-x  9 root root  108 Oct  9 18:30 .
drwxr-xr-x 72 root root 4096 Oct  9 18:28 ..
drwxr-xr-x  3 root root   42 Oct  9 18:28 accounts
drwx------  3 root root   23 Oct  9 18:30 archive
drwxr-xr-x  2 root root   34 Oct  9 18:30 csr
drwx------  2 root root   34 Oct  9 18:30 keys
drwx------  3 root root   37 Oct  9 18:30 live
drwxr-xr-x  2 root root   28 Oct  9 18:30 renewal
drwxr-xr-x  5 root root   43 Oct  9 18:28 renewal-hooks

$ ls -lad /etc/letsencrypt/*/*
drwxr-xr-x 3 root root   23 Oct  9 18:28 /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org
drwxr-xr-x 2 root root   83 Oct  9 18:30 /etc/letsencrypt/archive/a8n.tools
-rw-r--r-- 1 root root  920 Oct  9 18:30 /etc/letsencrypt/csr/0000_csr-certbot.pem
-rw------- 1 root root 1704 Oct  9 18:30 /etc/letsencrypt/keys/0000_key-certbot.pem
drwxr-xr-x 2 root root   93 Oct  9 18:30 /etc/letsencrypt/live/a8n.tools
-rw-r--r-- 1 root root  740 Oct  9 18:30 /etc/letsencrypt/live/README
-rw-r--r-- 1 root root  542 Oct  9 18:30 /etc/letsencrypt/renewal/a8n.tools.conf
drwxr-xr-x 2 root root    6 Oct  9 18:28 /etc/letsencrypt/renewal-hooks/deploy
drwxr-xr-x 2 root root    6 Oct  9 18:28 /etc/letsencrypt/renewal-hooks/post
drwxr-xr-x 2 root root    6 Oct  9 18:28 /etc/letsencrypt/renewal-hooks/pre

<!-- gh-comment-id:1272642463 --> @NiceGuyIT commented on GitHub (Oct 9, 2022): For reference, here's the permissions after deleting `/etc/letsencrypt` and running `certbot`. ```text $ ls -la /etc/letsencrypt/ total 8 drwxr-xr-x 9 root root 108 Oct 9 18:30 . drwxr-xr-x 72 root root 4096 Oct 9 18:28 .. drwxr-xr-x 3 root root 42 Oct 9 18:28 accounts drwx------ 3 root root 23 Oct 9 18:30 archive drwxr-xr-x 2 root root 34 Oct 9 18:30 csr drwx------ 2 root root 34 Oct 9 18:30 keys drwx------ 3 root root 37 Oct 9 18:30 live drwxr-xr-x 2 root root 28 Oct 9 18:30 renewal drwxr-xr-x 5 root root 43 Oct 9 18:28 renewal-hooks $ ls -lad /etc/letsencrypt/*/* drwxr-xr-x 3 root root 23 Oct 9 18:28 /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org drwxr-xr-x 2 root root 83 Oct 9 18:30 /etc/letsencrypt/archive/a8n.tools -rw-r--r-- 1 root root 920 Oct 9 18:30 /etc/letsencrypt/csr/0000_csr-certbot.pem -rw------- 1 root root 1704 Oct 9 18:30 /etc/letsencrypt/keys/0000_key-certbot.pem drwxr-xr-x 2 root root 93 Oct 9 18:30 /etc/letsencrypt/live/a8n.tools -rw-r--r-- 1 root root 740 Oct 9 18:30 /etc/letsencrypt/live/README -rw-r--r-- 1 root root 542 Oct 9 18:30 /etc/letsencrypt/renewal/a8n.tools.conf drwxr-xr-x 2 root root 6 Oct 9 18:28 /etc/letsencrypt/renewal-hooks/deploy drwxr-xr-x 2 root root 6 Oct 9 18:28 /etc/letsencrypt/renewal-hooks/post drwxr-xr-x 2 root root 6 Oct 9 18:28 /etc/letsencrypt/renewal-hooks/pre ```

kerem commented 2026-03-14 05:23:09 +03:00

Author

Owner

Copy link

@wh1te909 commented on GitHub (Oct 14, 2022):

thanks! I removed the chmod command not even sure why that was there lol...the perms don't need touching the defaults are good.

<!-- gh-comment-id:1278595981 --> @wh1te909 commented on GitHub (Oct 14, 2022): thanks! I removed the `chmod` command not even sure why that was there lol...the perms don't need touching the defaults are good.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

master

1.0.0

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.20.1

v0.20.0

v0.19.4

v0.19.3

v0.19.2

v0.19.1

v0.19.0

v0.18.2

v0.18.1

v0.18.0

v0.17.5

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.5

v0.16.4

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.12

v0.15.11

v0.15.10

v0.15.9

v0.15.8

v0.15.7

v0.15.6

v0.15.5

v0.15.4

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.8

v0.14.7

v0.14.6

v0.14.5

v0.14.4

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.4

v0.13.3

v0.13.2

v0.13.1

v0.13.0

v0.12.4

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.3

v0.11.2

v0.11.1

v0.11.0

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.2

v0.9.1

v0.9.0

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.32

v0.4.31

v0.4.30

v0.4.29

v0.4.28

v0.4.27

v0.4.26

v0.4.25

v0.4.24

v0.4.23

v0.4.22

v0.4.21

v0.4.20

v0.4.19

v0.4.18

v0.4.17

v0.4.16

v0.4.15

v0.4.14

v0.4.13

v0.4.12

v0.4.11

v0.4.10

v0.4.9

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.23

v0.2.22

v0.2.21

v0.2.20

v0.2.19

v0.2.18

v0.2.17

v0.2.16

v0.2.15

v0.2.14

v0.2.13

v0.2.12

v0.2.11

v0.2.10

v0.2.9

v0.2.8

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.8

v0.1.7

v0.1.6

v0.1.5

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels   

In Process

  

bug

  

bug

  

dev-triage

  

documentation

  

duplicate

  

enhancement

  

fixed

  

good first issue

  

help wanted

  

integration

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

requires agent update

  

security

  

ui tweak

  

wontfix

No labels

In Process

bug

bug

dev-triage

documentation

duplicate

enhancement

fixed

good first issue

help wanted

integration

invalid

pull-request

question

requires agent update

security

ui tweak

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/tacticalrmm#2755

No description provided.