Bug 7831 - tlwebaccess won't serve requests if TLS private key permissions > 0600
Summary: tlwebaccess won't serve requests if TLS private key permissions > 0600
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Web Access (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: LowPrio
Assignee: Bugzilla mail exporter
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-02-07 13:08 CET by Martin Östlund
Modified: 2024-07-02 13:34 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:


Attachments

Description Martin Östlund cendio 2022-02-07 13:08:54 CET
Description:
===============
It has come to our attention that there might be use cases where one want other services / users to be able to read the private key defined in webaccess.hconf

At the moment tlwebaccess will start, but won't service requests if permissions less restrictive than 0600 is set.

Reproduce:
------------
[root@lab-213 ~]# chmod 640 /opt/thinlinc/etc/tlwebaccess/server.key
[root@lab-213 ~]# systemctl restart tlwebaccess

Point browser to https://x.x.x.x:300/

Result:
---------
This site can’t be reached
The connection was reset.

and /var/log/tlwebaccess.log will produce
------------------------------------------
2022-02-07 13:00:42 ERROR tlwebaccess[356058]: [::ffff:10.47.1.40] File is read and writeable by others than file owner.
2022-02-07 13:00:42 ERROR tlwebaccess[356058]: [::ffff:10.47.1.40] Failed to reliable read the certificate key from file, exiting.

Expected outcome / wished result:
=====================================
tlwebaccess will accept the key with pemissions 640 set.

Why?
=====
It would be beneficial to be able to have 640, that way it is possible to have group ownership to something else than root and give other services running on the system (or other users) able to read the private key for usage. That way multiple services can share the same private key, even if they are not uid=0
Comment 2 Samuel Mannehed cendio 2024-07-02 13:34:02 CEST
The fact that Web Access requires 0600 permissions on the certificate key is also not documented in our TAG:

https://www.cendio.com/resources/docs/tag-devel/html/tlwebaccess_server.html?highlight=certificate#certificates

https://www.cendio.com/resources/docs/tag-devel/html/config_webaccess.html#server-config-webaccess-certkey

Note You need to log in before you can comment on or make changes to this bug.