Allowed permissions should not be so restrictive

[Ypnose]

If x509.certificate file mode is not 644 and if x509.private_key is not 600, tlshd won't start.

It should be allowed to define both file in mode 400 if they belong to root user / group.

[chucklever]

Can you explain your use case? Ie, why do you need it to work this way?

[Ypnose]

Thanks for your message. I usually always set 400 mode on certificates and private keys, unless the daemon is not running as root. I then use symlinks to the files. As I do not need to modify / rewrite the certificate or the private key, I prefer to do it that way.

[chucklever]

OK. I was looking for a security best practice or something like that. Let me see if I can remember why we put that access mode restriction on those files.

[chucklever]

If x509.certificate file mode is not 644 and if x509.private_key is not 600, tlshd won't start.

From src/tlshd/config.c

162         if (statbuf.st_uid != owner)
163                 tlshd_log_notice("File %s: expected owner %u",
164                                  pathname, owner);
165         if ((statbuf.st_mode & TLSHD_ACCESSPERMS) != mode)
166                 tlshd_log_notice("File %s: expected mode %o",
167                                  pathname, mode);

These are only notices. They shouldn't cause tlshd to fail to start. There might be another reason why tlshd is not starting for you. Try boosting tlshd's debugging level to get more information.

[Ypnose]

You are totally right. The underlying fatal issue was fixed. That notice is useful if permissions are too wide, but what is your opinion if mode is 400 ? In that case, the notice sounds alarming.