Thread: BUG #1963: SSL certificate permission check is too strict
The following bug has been logged online: Bug reference: 1963 Logged by: Martin Pitt Email address: mpitt@debian.org PostgreSQL version: 8.1beta3 Operating system: Debian Description: SSL certificate permission check is too strict Details: Currently the postmaster requires the private SSL key file to have the same owner as the postmaster, and no permissions for group and others. However, this is too strict to sensibly use the certificate with ACLs, which permits other server processes to share it. In Debian I applied a patch which relaxes the check a bit: in addition to the currently allowed permissions, the file might be: - owned by root - group-readable if the file is in group root or the postmaster group. Since this likely affects non-Debian server installations as well, do you consider adopting this? Thanks! Martin Original Debian bug report: http://bugs.debian.org/327901 Debian patch against 8.1beta3: http://people.debian.org/~mpitt/09-relax-sslkey-permscheck.patch
"Martin Pitt" <mpitt@debian.org> writes:
> Currently the postmaster requires the private SSL key file to have the same
> owner as the postmaster, and no permissions for group and others. However,
> this is too strict to sensibly use the certificate with ACLs, which permits
> other server processes to share it.
> In Debian I applied a patch which relaxes the check a bit: in addition to
> the currently allowed permissions, the file might be:
> - owned by root
> - group-readable if the file is in group root or the postmaster group.
This was proposed and rejected before --- it's not clear why it's a good
idea to share a private key file with other servers, and even less clear
why it'd be a good idea to have such a file be group-readable by a large
group.
regards, tom lane
Hi Tom! Tom Lane [2005-10-14 11:38 -0400]: > "Martin Pitt" <mpitt@debian.org> writes: > > Currently the postmaster requires the private SSL key file to have the = same > > owner as the postmaster, and no permissions for group and others. Howev= er, > > this is too strict to sensibly use the certificate with ACLs, which per= mits > > other server processes to share it. >=20 > > In Debian I applied a patch which relaxes the check a bit: in addition = to > > the currently allowed permissions, the file might be: > > - owned by root > > - group-readable if the file is in group root or the postmaster group. >=20 > This was proposed and rejected before --- it's not clear why it's a good > idea to share a private key file with other servers,=20 On my own boxes I usually create one certificate per box, not per server. This keeps certificate management easy and avoids redundancy - why should I create separate certifictates for each server I run? I want to validate the identity computers with the certificates, nothing more. This seems to be a common practice. > and even less clear why it'd be a good idea to have such a file be > group-readable by a large group. The group does not need to be big; for sharing certificates, you basically have two options: - Use ACLs; this is a clean way, but not supported by all file systems, and even by less backup systems. It does not require groups, though. - Create a "sslkey" group and add all servers to it that need read permission to the certificate. AIUI this check should prevent admins from accidentially shooting themselves in the foot, not make it totally impossible to configure stuff as the admin wants. Or is that wrong? At least the certificate could be permitted to be owned/in group root. I cannot see how this should weaken the certificate's security. Thanks and have a nice weekend! Martin --=20 Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?
Martin Pitt <mpitt@debian.org> writes:
> At least the certificate could be permitted to be owned/in group root.
> I cannot see how this should weaken the certificate's security.
Postgres doesn't run as root, hence could not use such a certificate
unless it was world-readable.
Or should I infer from this that you've also patched out that safety
check?
regards, tom lane
Hi Tom! Tom Lane [2005-10-16 0:41 -0400]: > Martin Pitt <mpitt@debian.org> writes: > > At least the certificate could be permitted to be owned/in group root. > > I cannot see how this should weaken the certificate's security. >=20 > Postgres doesn't run as root, hence could not use such a certificate > unless it was world-readable. Please see my original mail. If you use ACLs, postgres can very well be able to read the certificate. The point was that a key's security is not weakened if it is owned by root instead of "postgres" - to the contrary. So I don't see the point of the check that actively prohibits a key being owned by root. Martin --=20 Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntulinux.org Debian Developer http://www.debian.org