way to give read-only access to certain root-owned files to a DynamicUser unit

[cpitclaudel]

Hi there,

Is your feature request related to a problem? Please describe.

I'm using systemd to run a simple HTTPS server (quart with hypercorn).

I get certificates from LetsEncrypt, which puts them in /etc/letsencrypt/live/website/*.pem. These certificates are root-owned and not readable by anyone but root, but I need to give the server access to them somehow.

Usually this isn't a problem because webservers run as root and read certificates before dropping privileges, but I'd like to avoid this.

Here are the concrete unit definitions:

• hypercorn.socket

  [Unit]
  Description=Hypercorn socket
  PartOf=hypercorn.service
  
  [Socket]
  ListenStream=0.0.0.0:80
  
  [Install]
  WantedBy=sockets.target
  

• hypercorn.service

  [Unit]
  Description=Hypercorn website
  Requires=network.target local-fs.target
  Requires=hypercorn.socket
  
  [Service]
  User=hypercorn
  DynamicUser=yes
  StandardInput=socket
  ExecStart=/var/www/hypercorn/.venv/bin/hypercorn --bind fd://0 website:app
  Restart=on-failure
  Type=simple
  
  [Install]
  WantedBy=multi-user.target
  

Describe the solution you'd like

I'd like a way to copy and chown /etc/letsencrypt/live/website/ into a directory owned by the newly created dynamic user, before the server starts.

I think this is similar to https://serverfault.com/questions/987688/give-systemd-service-access-to-certificates-in-protected-folder , with the additional difficulty of running with a DynamicUser.

Describe alternatives you've considered

• I've tried using ExecStartPre to copy the files into a RuntimeDirectory and chown them, but I don't know which user to chown them to, since I'm using a DynamicUser.

• I've tried using a StateDirectory for the dynamic user and putting a copy of the certificates in there, but @poettering says Of course, services shouldn't using StateDirectory= if they can't start with an empty state directory in the first place... in systemd does not change the user and group ownership of RuntimeDirectory when root is not explicitly assigned to User #6391, so I ruled that idea out.

• I've tried using a BindReadOnlyPaths, but there doesn't seem to be a way to change the permissions of the files in the mount, to make them e.g. world-readable.

I'm sure there exists a solution, so this may be more of a documentation-update request than a feature request.

Thanks a lot!

[boucman]

IIRC you can decide the DynamicUser's name by setting User= to a (non existant) name. and systemd will allocate an unused UID to that particular name.
Would that+your ExecStartPre method work ?

[boucman]

Also, if you don't set the User= the user name should be trivial to guess from the unit name.

(all this require nss-systemd to be properly configured, by the way, which might be your problem)

[cpitclaudel]

I might have done something wrong, but even with User= I think the chown complains that the username cannot be found

[cpitclaudel]

But your suggestion is great, because I can stat the target directory to get the right user name (stat -c %%u:%%g) Feel free to close this if that's the right approach.

[poettering]

This sounds like something #15778 would neatly solve. I am tempted to close this as a duplicate of that RFE bug?