1

I would like to setup a node.js https server using a certificate I already have on my debian8 machine.

This certificate's group is set to libretodoapi (a user / group I've created to run the node.js app). The permission 640 should allow read access to that file:

root@nijin:/# ls -l /etc/letsencrypt/archive/api.libretodo.org/privkey1.pem
-rw-r----- 1 root libretodoapi 1704 Jan 11 23:11 /etc/letsencrypt/archive/api.libretodo.org/privkey1.pem

That said, trying to access the file as libretodoapi fails:

root@nijin:/# sudo -u libretodoapi cat /etc/letsencrypt/archive/api.libretodo.org/privkey1.pem
cat: /etc/letsencrypt/archive/api.libretodo.org/privkey1.pem: Permission denied

The predecessor folders all belong to root:

root@nijin:~# namei -lo /etc/letsencrypt/archive/api.libretodo.org/privkey1.pem
f: /etc/letsencrypt/archive/api.libretodo.org/privkey1.pem
drwxr-xr-x root root         /
drwxr-xr-x root root         etc
drwxr-xr-x root root         letsencrypt
drwx------ root root         archive
drwxr-xr-x root root         api.libretodo.org
-rw-r----- root libretodoapi privkey1.pem

I don't believe that there is a bug somewhere. Much rather, I think I don't know something about unix permissions which can explain that behavior. Do you know what I am missing?

Nijin22
  • 113
  • 5
  • It might be the access rights of a folder. Add the output of namei -lo /etc/letsencrypt/archive/api.libretodo.org/privkey1.pem to your question. – Thomas Feb 10 '18 at 18:02
  • 2
    All folders in the hierarchy down to the file must have x permissions for the user/group to enable them to access it. – Kusalananda Feb 10 '18 at 18:14
  • @Kusalananda I see! Adding x to the archive folder solved the problem. Do you want to post that as an answer so I can accept? – Nijin22 Feb 10 '18 at 18:21

1 Answers1

4

All directories in the hierarchy, from the root (/) down to the parent directory of the file, must have x permissions for the user/group to enable them to access the file.

The execute permission on a directory enables a user to access the directory while the read permission enables a user to list its content.

See also the question Execute vs Read bit. How do directory permissions in Linux work?

Kusalananda
  • 333,661