Your message dated Sun, 11 Dec 2005 02:47:06 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#341141: fixed in postgresql-common 37
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 28 Nov 2005 17:22:22 +0000
>From [EMAIL PROTECTED] Mon Nov 28 09:22:22 2005
Return-path: <[EMAIL PROTECTED]>
Received: from diopsis.static.otenet.gr
([62.103.26.217] helo=estia.salonica.diopsis.gr ident=Debian-exim)
by spohr.debian.org with esmtp (Exim 4.50)
id 1Egmhp-0001T5-Ne
for [EMAIL PROTECTED]; Mon, 28 Nov 2005 09:22:22 -0800
Received: from solist by estia.salonica.diopsis.gr with local (Exim 4.54)
id 1Egmhl-0006dJ-1I; Mon, 28 Nov 2005 19:22:17 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Antonio Kanouras <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: postgresql-common: Please change default permissions for SSL key file
X-Mailer: reportbug 3.17
Date: Mon, 28 Nov 2005 19:22:17 +0200
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Package: postgresql-common
Version: 30
Severity: wishlist
Hi, I tried to change /etc/postgresql-common/postgresql.pem's
permissions to:
-rw-r----- 1 root postgres 887 2005-11-28 18:12 postgresql.pem
which seems safer to me (a succesful attacker won't be able to change
the key file), and after trying to start the server:
estia:0:~# invoke-rc.d postgresql-8.0 start
Starting PostgreSQL 8.0 database server: mainThe PostgreSQL server
failed to start. Please check the log output:
FATAL: unsafe permissions on private key file
"/var/lib/postgresql/8.0/main/server.key"
DETAIL: File must be owned by the database user and must have no
permissions for "group" or "other".
failed!
As a sidenote, postgresql.pem's permissions should really be:
-rw------- 1 root root 887 2005-11-28 18:12 postgresql.pem
and PostgreSQL should open the file as root and then setuid to
postgresql.
I suggest at least the 1st solution be made default (if the 2nd is too
difficult/time-consuming to implement).
Many thanks for your work!
Cheers,
Antonio
PS: Shouldn't the initscript return a non-zero exit code if it fails?
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (700, 'testing'), (300, 'unstable'), (200, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.13-1-k7
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages postgresql-common depends on:
ii adduser 3.77 Add and remove users and groups
Versions of packages postgresql-common recommends:
ii openssl 0.9.8a-3 Secure Socket Layer (SSL) binary a
-- no debconf information
---------------------------------------
Received: (at 341141-close) by bugs.debian.org; 11 Dec 2005 10:51:02 +0000
>From [EMAIL PROTECTED] Sun Dec 11 02:51:02 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 4.50)
id 1ElOjS-00051e-1M; Sun, 11 Dec 2005 02:47:06 -0800
From: Martin Pitt <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.60 $
Subject: Bug#341141: fixed in postgresql-common 37
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Sun, 11 Dec 2005 02:47:06 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 3
Source: postgresql-common
Source-Version: 37
We believe that the bug you reported is fixed in the latest version of
postgresql-common, which is due to be installed in the Debian FTP archive:
postgresql-common_37.dsc
to pool/main/p/postgresql-common/postgresql-common_37.dsc
postgresql-common_37.tar.gz
to pool/main/p/postgresql-common/postgresql-common_37.tar.gz
postgresql-common_37_all.deb
to pool/main/p/postgresql-common/postgresql-common_37_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Martin Pitt <[EMAIL PROTECTED]> (supplier of updated postgresql-common package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 10 Dec 2005 23:36:41 +0100
Source: postgresql-common
Binary: postgresql-common
Architecture: source all
Version: 37
Distribution: unstable
Urgency: low
Maintainer: Martin Pitt <[EMAIL PROTECTED]>
Changed-By: Martin Pitt <[EMAIL PROTECTED]>
Description:
postgresql-common - manager for PostgreSQL database clusters
Closes: 338031 340200 340459 341141 341267 341951
Changes:
postgresql-common (37) unstable; urgency=low
.
* debian/postgresql-common.config: Only show the obsolete version warning
once.
* Add French debconf translations, thanks to Guilhelm Panaget.
Closes: #340200, #341267
* debian/postgresql-common.postinst: Change default permissions of the
private SSL key to root:postgres 0640 to prevent potential modification of
the certificate by the postmaster. Closes: #341141
* Add Czech debconf translations, thanks to Miroslav Kure. Closes: #341951
* debian/postgresql-common.postinst: Check that the postgres user/group is
not root; fail installation with a meaningful error message if it is.
Closes: #340459
* t/040_upgrade.t: Check upgrading of sequence and stored PL/PgSQL
procedure.
* pg_upgradecluster: Change hardcoded and obsolete library paths to
'$libdir' in the new cluster. This fixes upgrades of 7.4 clusters that
were upgraded from woody. Closes: #338031
Files:
e1ae7a3f0be711b6081a5c1ea304ffa1 578 misc optional postgresql-common_37.dsc
8502f94fdabaad0677d108aae3d2247e 61578 misc optional
postgresql-common_37.tar.gz
9b74feff37de81b46362d2e2d9d32b55 82454 misc optional
postgresql-common_37_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDnAGaDecnbV4Fd/IRAhBoAKDcRt8PyVUkaRgpmIrumCkS64QbvQCg00oV
36XO7LjEGt6qI9xkgCe0930=
=EWFI
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
