Advice regarding directory structure

[bfqrst]

Hi there,

suppose I have a running step online CA and client box acting as a, well, client!

When user foo performs the bootstrapping process, the config and the root cert is written to ~/.step/ . If I recall correctly, those are 0700. The same would go for users bar and baz. Add in some systemd timer for renewal and such which are all in need of the config file and the root cert!

Instead of each user bootrapping to his own .step folder, I ended up pointing STEPPATH to /etc/step and chmod-ing the folder 0750.

I guess my question is, what is the recommended pattern here? What do I need to be aware of?

Cheers
Ralph

[maraino]

There's nothing "secret" in the bootstrap files, so it's ok allowing the users to read it, but only the root should be able to edit them. If not, you can trick the users into using another server. So 0750 using a group looks right to me. For the files, there's no need to allow execution, but I guess that won't do anything.

There's one thing, though. If you're planning to use SSH, the users might need to change their ssh config manually. By default, if you run step ssh config, the config is written in $(step path)/ssh/config, and that would fail. Those files include the username, as long as you remove it should be ok. And they will need to include it from ~/.ssh/config manually. And they can always copy the configuration and edit it as they want or include their own file.