Re: Allow root ownership of client certificate key - Mailing list pgsql-hackers

From David Steele
Subject Re: Allow root ownership of client certificate key
Date
Msg-id 3d0d7347-fc5b-455f-df38-eed7f6f5d4bb@pgmasters.net
Whole thread Raw
In response to Allow root ownership of client certificate key  (David Steele <david@pgmasters.net>)
List pgsql-hackers
On 10/22/21 11:41 AM, David Steele wrote:
> 
> I noticed recently that permissions checking is done differently for the 
> server certificate key than the client key. Specifically, on the server 
> the key can have 640 perms if it is owned by root.
> 
> On the server side this change was made in 9a83564c and I think the same 
> rational applies equally well to the client key. At the time managed 
> keys on the client may not have been common but they are now.
> 
> Attached is a patch to make this change.
> 
> I was able to this this manually by hacking 001_ssltests.pl like so:
> 
> -    chmod 0640, "ssl/${key}_tmp.key"
> +    chmod 0600, "ssl/${key}_tmp.key"
>         or die "failed to change permissions on ssl/${key}_tmp.key: $!";
> -    system_or_bail("sudo chown root ssl/${key}_tmp.key");
> 
> But this is clearly not going to work for general purpose testing. The 
> server keys also not tested for root ownership so perhaps we do not need 
> that here either.
> 
> I looked at trying to make this code common between the server and 
> client but due to the differences in error reporting it seemed like more 
> trouble than it was worth.

Added to next CF: https://commitfest.postgresql.org/35/3379

-- 
-David
david@pgmasters.net



pgsql-hackers by date:

Previous
From: Amul Sul
Date:
Subject: Correct error message for end-of-recovery record TLI
Next
From: Arne Roland
Date:
Subject: Re: missing indexes in indexlist with partitioned tables