Bug 7831 - tlwebaccess won't serve requests if TLS private key permissions > 0600
Summary: tlwebaccess won't serve requests if TLS private key permissions > 0600
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Web Access (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: LowPrio
Assignee: Bugzilla mail exporter
Depends on:
Reported: 2022-02-07 13:08 CET by Martin Östlund
Modified: 2022-02-08 13:02 CET (History)
0 users

See Also:
Acceptance Criteria:


Description Martin Östlund cendio 2022-02-07 13:08:54 CET
It has come to our attention that there might be use cases where one want other services / users to be able to read the private key defined in webaccess.hconf

At the moment tlwebaccess will start, but won't service requests if permissions less restrictive than 0600 is set.

[root@lab-213 ~]# chmod 640 /opt/thinlinc/etc/tlwebaccess/server.key
[root@lab-213 ~]# systemctl restart tlwebaccess

Point browser to https://x.x.x.x:300/

This site can’t be reached
The connection was reset.

and /var/log/tlwebaccess.log will produce
2022-02-07 13:00:42 ERROR tlwebaccess[356058]: [::ffff:] File is read and writeable by others than file owner.
2022-02-07 13:00:42 ERROR tlwebaccess[356058]: [::ffff:] Failed to reliable read the certificate key from file, exiting.

Expected outcome / wished result:
tlwebaccess will accept the key with pemissions 640 set.

It would be beneficial to be able to have 640, that way it is possible to have group ownership to something else than root and give other services running on the system (or other users) able to read the private key for usage. That way multiple services can share the same private key, even if they are not uid=0

Note You need to log in before you can comment on or make changes to this bug.