The following bug has been logged on the website:
Bug reference: 14543
Logged by: Johannes Ziemke
Email address: postgres@freigeist.org
PostgreSQL version: 9.5.6
Operating system: linux
Description:
Hi,
looks like libpq checks if a ssl key is group or world readable and aborts
if that's the case:
# pg_basebackup -R -d
'postgres://replication@db-rw?sslmode=verify-ca&sslcert=/etc/ssl/private/default.pem&sslkey=/etc/ssl/private/default-key.pem&sslrootcert=/etc/ssl/ca-trusted.pem'
-D /var/lib/postgresql/9.5/main --xlog-method=stream
pg_basebackup: could not connect to server: private key file
"/etc/ssl/private/default-key.pem" has group or world access; permissions
should be u=rw (0600) or less
# ls -al /etc/ssl/private/default-key.pem
-rw-r----- 1 root ssl-cert 1675 Feb 13 18:04
/etc/ssl/private/default-key.pem
While I agree this is reasonable to do if the key is world readable, it's
perfectly fine to make a SSL key group readable to share it with multiple
users on the same system.
Ubuntu (and probably most other distributions) even creates a group for
exactly this scenario:
# ls -l /etc/ssl/private/
total 4
-rw-r----- 1 root ssl-cert 1708 Apr 14 2016 ssl-cert-snakeoil.key
--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs
