On Tue, 28 Aug 2018, at 4:01 PM, Maarten ter Huurne wrote:
On Tuesday, August 28, 2018 2:10:22 AM CEST Richard Shea wrote:
I'm trying to use the -c option of twistd like this :
twistd web --wsgi bar.app -c foo.cer -k privkey.pem --https=4433
I'm pointing it at a cert with perms like this "-rw-r--r-- 1 root root" but twistd complains about a permission error .
I'm puzzled ... surely twistd only needs to read that file ?
Is it complaining about the permissions on the cert or on the private key? Some applications (like SSH) reject private keys if they are world-readable, as a precaution.
Thanks Maarten it was the certificate that was being complained about but I think I now understand what the problem was. Although I showed the certificate as being in the same directory in fact it was deep in a path and although the user running twisted had read on the file they didn't have execute on some of the intermediate directories (and so I assume this was the cause of the access error ... I haven't yet had time to check this out). This does raise a more general question .... what perms should the key used by twistd have ? Ideally a key would only be readable by root but running twistd as root is clearly undesireable. Anyone wish to give their opinion on that ? With Apache the process starts as root, reads the key and then makes the apache process run as a different, less powerful, user but I can't see how you can do the equivalent for twistd ? Am I overlooking something ? Thanks