Description Martin Östlund 2022-02-07 13:08:54 CET

Description:
===============
It has come to our attention that there might be use cases where one want other services / users to be able to read the private key defined in webaccess.hconf

At the moment tlwebaccess will start, but won't service requests if permissions less restrictive than 0600 is set.

Reproduce:
------------
[root@lab-213 ~]# chmod 640 /opt/thinlinc/etc/tlwebaccess/server.key
[root@lab-213 ~]# systemctl restart tlwebaccess

Point browser to https://x.x.x.x:300/

Result:
---------
This site can’t be reached
The connection was reset.

and /var/log/tlwebaccess.log will produce
------------------------------------------
2022-02-07 13:00:42 ERROR tlwebaccess[356058]: [::ffff:10.47.1.40] File is read and writeable by others than file owner.
2022-02-07 13:00:42 ERROR tlwebaccess[356058]: [::ffff:10.47.1.40] Failed to reliable read the certificate key from file, exiting.

Expected outcome / wished result:
=====================================
tlwebaccess will accept the key with pemissions 640 set.

Why?
=====
It would be beneficial to be able to have 640, that way it is possible to have group ownership to something else than root and give other services running on the system (or other users) able to read the private key for usage. That way multiple services can share the same private key, even if they are not uid=0