Re: SAST FATAL: could not access private key file "server.key" - Mailing list pgsql-general

From Albe Laurenz
Subject Re: SAST FATAL: could not access private key file "server.key"
Date
Msg-id D960CB61B694CF459DCFB4B0128514C20244E743@exadv11.host.magwien.gv.at
Whole thread Raw
In response to Re: SAST FATAL: could not access private key file "server.key"  ("Dave Coventry" <dgcoventry@gmail.com>)
List pgsql-general
Dave Coventry wrote:
>> If you want SSL,
>> 2) Is there a file server.key? If yes, make it readable to the
>>   postgres user. If not, create it as documented.
>
> Here is the contents of my /var/lib/postgresql/8.2/main/ :
>
> root@Admin:/var/lib/postgresql/8.2/main# ls -l
> total 9
> drwx------ 7 postgres postgres 168 2008-06-29 11:27 base
> drwx------ 2 postgres postgres 768 2008-06-30 13:01 global
> drwx------ 2 postgres postgres  72 2008-06-24 09:37 pg_clog
> drwx------ 4 postgres postgres  96 2008-06-24 09:37 pg_multixact
> drwx------ 2 postgres postgres  72 2008-06-24 09:37 pg_subtrans
> drwx------ 2 postgres postgres  48 2008-06-24 09:37 pg_tblspc
> drwx------ 2 postgres postgres  48 2008-06-24 09:37 pg_twophase
> -rw------- 1 postgres postgres   4 2008-06-24 09:37 PG_VERSION
> drwx------ 3 postgres postgres 120 2008-06-24 09:37 pg_xlog
> -rw------- 1 postgres postgres 125 2008-06-30 08:59 postmaster.opts
> lrwxrwxrwx 1 root     root      31 2008-06-24 09:37 root.crt ->
> /etc/postgresql-common/root.crt
> lrwxrwxrwx 1 root     root      36 2008-06-24 09:37 server.crt ->
> /etc/ssl/certs/ssl-cert-snakeoil.pem
> lrwxrwxrwx 1 root     root      38 2008-06-24 09:37 server.key ->
> /etc/ssl/private/ssl-cert-snakeoil.key
>
> 'server.key' seems to be writable to all and sundry, although the file
> it is linked to (ssl-cert-snakeoil.key) is not:
>
>
> root@Admin:/etc/ssl/private# ls -l
> total 4
> -rw------- 1 root ssl-cert 887 2008-06-11 12:18 ssl-cert-snakeoil.key

You will need to give postgres read permission to /etc/ssl/private/ssl-cert-snakeoil.key
This also means to give 'traverse directory' (x) permissions
on all the directories in the path to user postgres.

You can test it by becoming user postgres and trying to 'cat' the file.

Was it you who set up the system like that?
Maybe there are good reasons why the key file is only accessible by root.
Maybe you shouldn't use this file as your server key.
But these are considerations beyond my view here.

Yours,
Laurenz Albe

pgsql-general by date:

Previous
From: "Dave Coventry"
Date:
Subject: Re: SAST FATAL: could not access private key file "server.key"
Next
From: Magnus Hagander
Date:
Subject: Re: pg crashing