How to change umask for Caddy service?

houmie · August 11, 2023, 8:12am

Hello,

I tried this a couple of months ago to no avail, but this time I tried to solve this differently.

I have the following part in my caddy.json:

"storage": {
    "module": "file_system",
    "root": "/home/admin/tls"
},

Right at the start before Caddy is even installed, I prepare the directory via bash script:

mkdir -p /home/admin/tls/certificates
sudo chown -R caddy:caddy /home/admin/tls
sudo chmod -R g+x /home/admin/tls/certificates/
sudo chmod -R g+r /home/admin/tls/certificates/
sudo chmod g+s /home/admin/tls/certificates/

Caddy and Xray should be able to access the certs in /home/admin/tls/.
xray user belongs to caddy group. Hence as long as group read and execution permission are given to caddy group, it would be fine.

So far so good, but as soon as Caddy obtains the certificates and stores them in /home/admin/tls/ the new sub-directories/files no longer keep the permissions from the parent directory and xray user loses access to the certs.

In Caddy service I tried to add UMask=0002 under [Service], but it didn’t help. What can I do?
Is there a post-hook where I could run

sudo chmod -R g+x /home/admin/tls/certificates/
sudo chmod -R g+r /home/admin/tls/certificates/

Caddy: v2.7.3 h1:eMCNjOyMgB5A1KgOzT2dXKR4I0Va+YHCJYC8HHu+DP0=

Many Thanks

francislavoie · August 11, 2023, 3:53pm

In general I recommend avoiding the use of /home with webservers. Use something like /opt or /etc/caddy for config/storage (default storage is /var/lib/caddy/.local/share/caddy; what’s wrong with that?), and /srv/ or /var/www for your site contents.

houmie · August 11, 2023, 4:09pm

Because I’m using Caddy in combination with Xray-core. The latter needs direct access to the certificates. I suppose I could keep the path to default /var/lib/caddy/.local/share/caddy. But it doesn’t change the permission problem for Xray to access it.

Even though I have given Group Read+Execution access to the path, the moment Caddy obtains a fresh copy for the certificates, it replaces the old permissions, and Xray can no longer access the certificates.

Does it make sense?

francislavoie · August 11, 2023, 4:22pm

You can use events to copy certs elsewhere:

houmie · August 11, 2023, 4:27pm

Yes, I remember trying that last time with an older version of Caddy.

Reading the link you sent me, it speaks of a third-party plugin. Do you know if caddy-events-exec is now already part of Caddy 2.7.3?

Thanks

matt · August 11, 2023, 5:50pm

It’s still a separate plugin for now.

houmie · August 15, 2023, 11:28am

Thank you guys. I got it this time working with the events.

"apps": {
    "events": {
      "subscriptions": [
        {
          "events": ["cert_obtained"],
          "handlers": [
            {
              "handler": "exec",
              "command": "/opt/shared_certs/xray_pack_ssl.sh",
              "args": []
            }
          ]
        }
      ]
    },

system · September 14, 2023, 11:29am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.