Home > mailing lists

pgsql: Allow SSL server key file to have group read access if owned by - Mailing list pgsql-committers

From	Peter Eisentraut
Subject	pgsql: Allow SSL server key file to have group read access if owned by
Date	March 19, 2016 13:39:50
Msg-id	E1ahEIL-0005t3-B0@gemulon.postgresql.org Whole thread Raw
List	pgsql-committers

Tree view

Allow SSL server key file to have group read access if owned by root

We used to require the server key file to have permissions 0600 or less
for best security.  But some systems (such as Debian) have certificate
and key files managed by the operating system that can be shared with
other services.  In those cases, the "postgres" user is made a member of
a special group that has access to those files, and the server key file
has permissions 0640.  To accommodate that kind of setup, also allow the
key file to have permissions 0640 but only if owned by root.

From: Christoph Berg <myon@debian.org>
Reviewed-by: Alvaro Herrera <alvherre@alvh.no-ip.org>

Branch
------
master

Details
-------
http://git.postgresql.org/pg/commitdiff/9a83564c58b7f6363141a8f1d0c87c89a5ebab5d

Modified Files
--------------
doc/src/sgml/runtime.sgml             | 13 ++++++++++++-
src/backend/libpq/be-secure-openssl.c | 33 ++++++++++++++++++++++++++++-----
2 files changed, 40 insertions(+), 6 deletions(-)

pgsql-committers by date:

From: Andres Freund
Date: 19 March 2016, 08:40:52
Subject: pgsql: Fix stupid omission in c4901a1e.

From: Tom Lane
Date: 19 March 2016, 17:59:32
Subject: pgsql: With ancient gcc, skip pg_attribute_printf() on function pointer

pgsql: Allow SSL server key file to have group read access if owned by - Mailing list pgsql-committers

Previous

Next