SSL key permissions - why does root work?
mdounin at mdounin.ru
Thu Dec 6 10:22:49 UTC 2012
On Wed, Dec 05, 2012 at 12:05:02PM -0500, pokrface wrote:
> Hi all--
> This might be a silly question, so I apologize, but I would like to know the
> answer. When configuring Nginx to work with SSL/TLS, best practice appears
> to be to secure your site's private key by ensuring it's owned by root:root
> and that its permissions are set to 400. My question, though, is why does
> this work? The Nginx worker processes, running under their own context,
> can't access the file that way. Do they rely on the master process (running
> as root) to read the key for them?
Worker processes doesn't read keys, but use keys already in memory
(read by the master process during reading/parsing the
configuration file, and inherited via fork() syscall, much like
all other configuration data).
More information about the nginx