SSL key permissions - why does root work?

Maxim Dounin mdounin at
Thu Dec 6 10:22:49 UTC 2012


On Wed, Dec 05, 2012 at 12:05:02PM -0500, pokrface wrote:

> Hi all--
> This might be a silly question, so I apologize, but I would like to know the
> answer. When configuring Nginx to work with SSL/TLS, best practice appears
> to be to secure your site's private key by ensuring it's owned by root:root
> and that its permissions are set to 400. My question, though, is why does
> this work? The Nginx worker processes, running under their own context,
> can't access the file that way. Do they rely on the master process (running
> as root) to read the key for them?

Worker processes doesn't read keys, but use keys already in memory 
(read by the master process during reading/parsing the 
configuration file, and inherited via fork() syscall, much like 
all other configuration data).

Maxim Dounin

More information about the nginx mailing list