Re: [pgAdmin4][Patch]: Allow user to provide custom SSL certificatesand provide .pgpass file - Mailing list pgadmin-hackers

From Dave Page
Subject Re: [pgAdmin4][Patch]: Allow user to provide custom SSL certificatesand provide .pgpass file
Date
Msg-id CA+OCxoyeprfb-zvCvg_CX6pT4EruQV=tSMONhpZBBgxF2YWyQA@mail.gmail.com
Whole thread Raw
In response to Re: [pgAdmin4][Patch]: Allow user to provide custom SSL certificatesand provide .pgpass file  (Murtuza Zabuawala <murtuza.zabuawala@enterprisedb.com>)
Responses Re: [pgAdmin4][Patch]: Allow user to provide custom SSL certificatesand provide .pgpass file
List pgadmin-hackers
Hi

On Mon, Sep 4, 2017 at 2:55 PM, Murtuza Zabuawala <murtuza.zabuawala@enterprisedb.com> wrote:
Hi Dave,

Can we at least commit the patch?

In future, If user complaints regarding SSL default path behaviour in server mode then adding default null file wouldn't be a big change if required.

I'm not concerned about complaints on the behaviour, I'm concerned about complaints that it's a security risk if we have multiple users inadvertently able to read a certificate and key owned by the webserver account.

Ashesh/Akshay - please read the thread and provide your feedback. Others chime in if you have anything as well please.

Thanks.
 

On Wed, Aug 30, 2017 at 2:23 PM, Dave Page <dpage@pgadmin.org> wrote:
Hi

On Wed, Aug 30, 2017 at 6:49 AM, Murtuza Zabuawala <murtuza.zabuawala@enterprisedb.com> wrote:
Hi Dave,

PFA updated patch with new screenshots and docs accordingly.

RM

​#​
2649
​ & RM#​
2650

On Tue, Aug 29, 2017 at 7:51 PM, Dave Page <dpage@pgadmin.org> wrote:
Hi

On Fri, Aug 25, 2017 at 2:45 PM, Murtuza Zabuawala <murtuza.zabuawala@enterprisedb.com> wrote:
Hi Dave,

Please find updated patch, 
- For displaying hidden files I have added preference option in Storage section.

How painful would it be to include it on the file dialogue as well?
​Done​
 
 
- Updated Docs & Screenshots.
- User can use 'prefer' option to enable SSL options.

Cool.

A couple of other things I realised in playing with this:

1) The SSL tab should come before Advanced I think.
​Done​
 

2) The docs now mention the default SSL files. In server mode, using defaults is probably a bad idea I suspect (because they would be shared). Should we force the values to /dev/null (and whatever is appropriate on Windows) if running in server mode? Users can always override that with something from their storage area.

Thoughts?
​In my opinion we should not ​force users to provide certificates, we can let them decide how they want to configure it.

It's not about forcing them to provide them, it's about preventing them from using defaults which may be owned by the user that the app runs as on a server, but that should not be (unless explicitly allowed by the sysadmin) accessible to every pgAdmin user. 

Thoughts from others? Ashesh?

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company




--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

pgadmin-hackers by date:

Previous
From: Murtuza Zabuawala
Date:
Subject: Re: [pgAdmin4][Patch]: Allow user to provide custom SSL certificatesand provide .pgpass file
Next
From: pgAdmin 4 Jenkins
Date:
Subject: Build failed in Jenkins: pgadmin4-master-python27-feature #11