Re: BUG #3809: SSL "unsafe" private key permissions bug - Mailing list pgsql-bugs

From Gregory Stark
Subject Re: BUG #3809: SSL "unsafe" private key permissions bug
Date
Msg-id 87ir38opw2.fsf@oxford.xeocode.com
Whole thread Raw
In response to Re: BUG #3809: SSL "unsafe" private key permissions bug  (Simon Arlott <simon@arlott.org>)
Responses Re: BUG #3809: SSL "unsafe" private key permissions bug
List pgsql-bugs
"Simon Arlott" <simon@arlott.org> writes:

> On 08/12/07 15:31, Tom Lane wrote:
>> "Simon Arlott" <postgresql.simon@arlott.org> writes:
>>> FATAL:  unsafe permissions on private key file "server.key"
>>> DETAIL:  File must be owned by the database user and must have no
>>> permissions for "group" or "other".
>>
>>> It should be possible to disable this check in the configuration, so those
>>> of us capable of deciding what's unsafe can do so.
>>
>> You haven't given any reason to think that you are smarter than this
>> check.
>
> The directory containing the SSL keys has appropriate permissions, I
> shouldn't have to make a separate copy of them for every application.

Another case where it's important to be able to disable this check is when
you're using a file system which doesn't use the unix bits for permission
checks either at all or in the traditional way.

So for example if the key directory lay on an FAT filesystem which doesn't
have unix bit per file the only way to satisfy the check would be to mount the
filesystem with the option to make every file in the filesystem have those
bits. Storing your keys on a usb stick (which usually use fat filesystems)
isn't really such a crazy idea either.

--
  Gregory Stark
  EnterpriseDB          http://www.enterprisedb.com
  Ask me about EnterpriseDB's PostGIS support!

pgsql-bugs by date:

Previous
From: "A. Ozen Akyurek"
Date:
Subject: OleDB and Delphi
Next
From: Alvaro Herrera
Date:
Subject: Re: BUG #3809: SSL "unsafe" private key permissions bug