[Twisted-Python] Using twistd with -c option causes permission error
Richard Shea
rshea at thecubagroup.com
Tue Aug 28 03:54:39 MDT 2018
On Tue, 28 Aug 2018, at 4:01 PM, Maarten ter Huurne wrote:
> On Tuesday, August 28, 2018 2:10:22 AM CEST Richard Shea wrote:
> > I'm trying to use the -c option of twistd like this :
> >
> > twistd web --wsgi bar.app -c foo.cer -k privkey.pem --https=4433
> >
> > I'm pointing it at a cert with perms like this "-rw-r--r-- 1 root root" but
> > twistd complains about a permission error .
> >
> > I'm puzzled ... surely twistd only needs to read that file ?
>
> Is it complaining about the permissions on the cert or on the private key?
> Some applications (like SSH) reject private keys if they are world-readable,
> as a precaution.
>
Thanks Maarten it was the certificate that was being complained about but I think I now understand what the problem was.
Although I showed the certificate as being in the same directory in fact it was deep in a path and although the user running twisted had read on the file they didn't have execute on some of the intermediate directories (and so I assume this was the cause of the access error ... I haven't yet had time to check this out).
This does raise a more general question .... what perms should the key used by twistd have ? Ideally a key would only be readable by root but running twistd as root is clearly undesireable. Anyone wish to give their opinion on that ?
With Apache the process starts as root, reads the key and then makes the apache process run as a different, less powerful, user but I can't see how you can do the equivalent for twistd ? Am I overlooking something ?
Thanks
More information about the Twisted-Python
mailing list