Why can't I access this lets-encrypt certificate file, even though I've set up the group?

Question

I would like to setup a node.js https server using a certificate I already have on my debian8 machine.

This certificate's group is set to libretodoapi (a user / group I've created to run the node.js app). The permission 640 should allow read access to that file:

root@nijin:/# ls -l /etc/letsencrypt/archive/api.libretodo.org/privkey1.pem
-rw-r----- 1 root libretodoapi 1704 Jan 11 23:11 /etc/letsencrypt/archive/api.libretodo.org/privkey1.pem

That said, trying to access the file as libretodoapi fails:

root@nijin:/# sudo -u libretodoapi cat /etc/letsencrypt/archive/api.libretodo.org/privkey1.pem
cat: /etc/letsencrypt/archive/api.libretodo.org/privkey1.pem: Permission denied

The predecessor folders all belong to root:

root@nijin:~# namei -lo /etc/letsencrypt/archive/api.libretodo.org/privkey1.pem
f: /etc/letsencrypt/archive/api.libretodo.org/privkey1.pem
drwxr-xr-x root root         /
drwxr-xr-x root root         etc
drwxr-xr-x root root         letsencrypt
drwx------ root root         archive
drwxr-xr-x root root         api.libretodo.org
-rw-r----- root libretodoapi privkey1.pem

I don't believe that there is a bug somewhere. Much rather, I think I don't know something about unix permissions which can explain that behavior. Do you know what I am missing?

Answer 1

All directories in the hierarchy, from the root (/) down to the parent directory of the file, must have x permissions for the user/group to enable them to access the file.

The execute permission on a directory enables a user to access the directory while the read permission enables a user to list its content.

See also the question Execute vs Read bit. How do directory permissions in Linux work?