remove usage of "acme" user, root does all the work

Recent versions of certbot need to be run as root, so there is no good reason to run it as an unprivileged user anymore.
2020-06-03 12:03:03 +02:00 · 2020-06-03 12:03:03 +02:00 · fdbfc13d79
parent 6ae5157699
commit fdbfc13d79
2 changed files with 11 additions and 10 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -11,6 +11,8 @@ This project does not follow semantic versioning.

 ### Changed

+* remove usage of "acme" user, root does all the work
+
 ### Deprecated

 ### Removed
--- a/evoacme.sh
+++ b/evoacme.sh
@ -118,21 +118,21 @@ main() {
    [ "$1" = "-V" ] || [ "$1" = "--version" ] && show_version && exit 0

    mkdir -p "${ACME_DIR}"
-    chown acme: "${ACME_DIR}"
+    chown root: "${ACME_DIR}"
    [ -w "${ACME_DIR}" ]        || error "Directory ${ACME_DIR} is not writable"

    [ -d "${CSR_DIR}" ]         || error "Directory ${CSR_DIR} is not found"

    mkdir -p "${CRT_DIR}"
-    chown acme: "${CRT_DIR}"
+    chown root: "${CRT_DIR}"
    [ -w "${CRT_DIR}" ]         || error "Directory ${CRT_DIR} is not writable"

    mkdir -p "${LOG_DIR}"
-    chown acme: "${LOG_DIR}"
+    chown root: "${LOG_DIR}"
    [ -w "${LOG_DIR}" ]         || error "Directory ${LOG_DIR} is not writable"

    mkdir -p "${HOOKS_DIR}"
-    chown acme: "${HOOKS_DIR}"
+    chown root: "${HOOKS_DIR}"
    [ -d "${HOOKS_DIR}" ]        || error "Directory ${HOOKS_DIR} is not found"

    readonly VHOST=$(basename "$1" .conf)
@ -195,7 +195,7 @@ main() {

    [ -d "${NEW_DIR}" ] && error "${NEW_DIR} directory already exists, remove it manually."
    mkdir -p "${NEW_DIR}"
-    chown -R acme: "${CRT_DIR}"
+    chown -R root: "${CRT_DIR}"
    chmod -R 0700 "${CRT_DIR}"
    chmod -R g+rX "${CRT_DIR}"
    debug "New cert will be created in ${NEW_DIR}"
@ -218,15 +218,14 @@ main() {
        CERTBOT_REGISTRATION="${CERTBOT_REGISTRATION} --register-unsafely-without-email"
    fi

-    # Permissions checks for acme user
-    sudo -u acme test -r "${CSR_FILE}" || error "File ${CSR_FILE} is not readable by user 'acme'"
-    sudo -u acme test -w "${NEW_DIR}" || error "Directory ${NEW_DIR} is not writable by user 'acme'"
+    # Permissions checks
+    test -r "${CSR_FILE}" || error "File ${CSR_FILE} is not readable"
+    test -w "${NEW_DIR}" || error "Directory ${NEW_DIR} is not writable"

    # create a certificate with certbot
    # we disable the set -e during the certbot call
    set +e
-    sudo -u acme \
-        "${CERTBOT_BIN}" \
+    "${CERTBOT_BIN}" \
        certonly \
        ${CERTBOT_MODE} \
        ${CERTBOT_REGISTRATION} \