On Tue, 28 Aug 2018, at 4:01 PM, Maarten ter Huurne wrote: > On Tuesday, August 28, 2018 2:10:22 AM CEST Richard Shea wrote: > > I'm trying to use the -c option of twistd like this : > > > > twistd web --wsgi bar.app -c foo.cer -k privkey.pem --https=4433 > > > > I'm pointing it at a cert with perms like this "-rw-r--r-- 1 root root" but > > twistd complains about a permission error . > > > > I'm puzzled ... surely twistd only needs to read that file ? > > Is it complaining about the permissions on the cert or on the private key? > Some applications (like SSH) reject private keys if they are world-readable, > as a precaution. > Thanks Maarten it was the certificate that was being complained about but I think I now understand what the problem was.
Although I showed the certificate as being in the same directory in fact it was deep in a path and although the user running twisted had read on the file they didn't have execute on some of the intermediate directories (and so I assume this was the cause of the access error ... I haven't yet had time to check this out). This does raise a more general question .... what perms should the key used by twistd have ? Ideally a key would only be readable by root but running twistd as root is clearly undesireable. Anyone wish to give their opinion on that ? With Apache the process starts as root, reads the key and then makes the apache process run as a different, less powerful, user but I can't see how you can do the equivalent for twistd ? Am I overlooking something ? Thanks _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
