Re: BUG #1963: SSL certificate permission check is too strict - Mailing list pgsql-bugs

From Tom Lane
Subject Re: BUG #1963: SSL certificate permission check is too strict
Date
Msg-id 10226.1129304318@sss.pgh.pa.us
Whole thread Raw
In response to BUG #1963: SSL certificate permission check is too strict  ("Martin Pitt" <mpitt@debian.org>)
Responses Re: BUG #1963: SSL certificate permission check is too strict
List pgsql-bugs
"Martin Pitt" <mpitt@debian.org> writes:
> Currently the postmaster requires the private SSL key file to have the same
> owner as the postmaster, and no permissions for group and others. However,
> this is too strict to sensibly use the certificate with ACLs, which permits
> other server processes to share it.

> In Debian I applied a patch which relaxes the check a bit: in addition to
> the currently allowed permissions, the file might be:
>  - owned by root
>  - group-readable if the file is in group root or the postmaster group.

This was proposed and rejected before --- it's not clear why it's a good
idea to share a private key file with other servers, and even less clear
why it'd be a good idea to have such a file be group-readable by a large
group.

            regards, tom lane

pgsql-bugs by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: Bug#333854: pg_group file update problems
Next
From: Tom Lane
Date:
Subject: Re: [GENERAL] Postgres logs to syslog LOCAL0