Only python file can read a specific file

Question

For a High school projet, I have to use a private key to encrypt file. I changed permission to my pk, only the root user can read this file. I change the owner (to root) and put the uid right to this python file, but when I execute this python file, I can't have access to my pk, for me I have to change the right of python, but I didn't want, (problem of security). Do you have any idea to have access to a file only by a python file?

The python file is included on a django project (view.py), I had too the idea to use the pid of the process but it didn't change my problem.

I used chown root and chmod with 0777 on my view.py but it said that I can't have access to read this file (has the read for owner root).

My traceback error:

Traceback (most recent call last):
  File "/home/mora/anaconda3/lib/python3.8/site-packages/django/core/handlers/exception.py", line 55, in inner
    response = get_response(request)
  File "/home/mora/anaconda3/lib/python3.8/site-packages/django/core/handlers/base.py", line 197, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/home/mora/Bureau/secProject/computer_project_54740/secuServer/accounts/views.py", line 65, in home_view
    with open("certificats/pkeyRSA.key", "r") as fd:

Exception Type: PermissionError at /home/
Exception Value: [Errno 13] Permission denied: 'certificats/pkeyRSA.key'```


I added the uid right to python file with:
```sudo chown root view.py
sudo chmod 0777 view.py```
for the pkeyRSA.key:
```sudo chown root pkeyRSA.key
sudo chmod u+r pkeyRSA.key```

Answer 1

I used chown root and chmod with 0777 on my view.py but it said that I can't have access to read this file (has the read for owner root).

The owner or access permissions of the views.py don't matter with respect to opening (another) file. You simply run a Python program with a user (by default the one that starts the program, although you can change the user of the program). The Python files are thus not indepdent entities that run each with a different user, in fact the owner of the file does not matter at all, as long as the interpreter can read the files.

This thus means that the python program that runs the Django server, will eventually try to open the file, and therefore the operating system will check if the user that runs the program has permissions to open the file.

The fact that a *.py file has a certain owner or permissions itself does not matter much. It matters if the user that runs the Python program tries to open the Python file to start the program, but the program does not change ownership of the program run (the "process") in case the file has a different owner, that would be a severe Privilege escalation [wiki] issue.

You thus will have to run the Python file with the correct user, like:

sudo python manage.py runserver   # very bad idea

the idea is thus to make the file accessible to the user that you use to run the webserver, like www-data for example.