Home > mailing lists

Re: BUG #1963: SSL certificate permission check is too strict - Mailing list pgsql-bugs

From	Tom Lane
Subject	Re: BUG #1963: SSL certificate permission check is too strict
Date	October 14, 2005 15:38:48
Msg-id	10226.1129304318@sss.pgh.pa.us Whole thread Raw
In response to	BUG #1963: SSL certificate permission check is too strict ("Martin Pitt" <mpitt@debian.org>)
Responses	Re: BUG #1963: SSL certificate permission check is too strict
List	pgsql-bugs

Tree view

"Martin Pitt" <mpitt@debian.org> writes:
> Currently the postmaster requires the private SSL key file to have the same
> owner as the postmaster, and no permissions for group and others. However,
> this is too strict to sensibly use the certificate with ACLs, which permits
> other server processes to share it.

> In Debian I applied a patch which relaxes the check a bit: in addition to
> the currently allowed permissions, the file might be:
>  - owned by root
>  - group-readable if the file is in group root or the postmaster group.

This was proposed and rejected before --- it's not clear why it's a good
idea to share a private key file with other servers, and even less clear
why it'd be a good idea to have such a file be group-readable by a large
group.

            regards, tom lane

pgsql-bugs by date:

From: Bruce Momjian
Date: 14 October 2005, 15:30:03
Subject: Re: Bug#333854: pg_group file update problems

From: Tom Lane
Date: 14 October 2005, 17:06:02
Subject: Re: [GENERAL] Postgres logs to syslog LOCAL0

Re: BUG #1963: SSL certificate permission check is too strict - Mailing list pgsql-bugs

Previous

Next