Hi, Currently the server insists on ssl_key_file's permissions to be 0600 or less, and be owned by the database user. Debian has been patching be-secure.c since forever (the git history goes back to 8.2beta1) to relax that to 0640 or less, and owned by root or the database user.
The reason for that is that we hooked the SSL certificate handling into the system's /etc/ssl/ directory structure where private keys are supposed to have permissions 0640 root:ssl-cert. The postgres user is member of the ssl-cert group so it can read the key. In the old days before 9.2 the server expected the SSL files in PGDATA, and we created symlinks from there to /etc/ssl/. Since 9.2, these certs are used in the ssl_*_file options. Using symlinks in PGDATA to use system-wide certificates might have been a hack, but with the "new" ssl_*_file options I think it might be prudent to get the "allow group ssl-cert" patch upstreamed. Comments? (There's no documentation yet, I'll add that if the feedback is positive.) Thanks, Christoph
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c new file mode 100644 index 1e3dfb6..b42737f *** a/src/backend/libpq/be-secure-openssl.c --- b/src/backend/libpq/be-secure-openssl.c *************** be_tls_init(void) *** 215,226 **** * directory permission check in postmaster.c) */ #if !defined(WIN32) && !defined(__CYGWIN__) ! if (!S_ISREG(buf.st_mode) || buf.st_mode & (S_IRWXG | S_IRWXO)) ereport(FATAL, (errcode(ERRCODE_CONFIG_FILE_ERROR), errmsg("private key file \"%s\" has group or world access", ssl_key_file), ! errdetail("Permissions should be u=rw (0600) or less."))); #endif if (SSL_CTX_use_PrivateKey_file(SSL_context, --- 215,229 ---- * directory permission check in postmaster.c) */ #if !defined(WIN32) && !defined(__CYGWIN__) ! if (!S_ISREG(buf.st_mode) || (buf.st_mode & (S_IWGRP | S_IRWXO)) || ! ((buf.st_uid != geteuid()) && buf.st_uid != 0)) ereport(FATAL, (errcode(ERRCODE_CONFIG_FILE_ERROR), errmsg("private key file \"%s\" has group or world access", ssl_key_file), ! errdetail("File must be owned by the \ ! database user or root, must have no write permission for \"group\", and must \ ! have no permissions for \"other\"."))); #endif if (SSL_CTX_use_PrivateKey_file(SSL_context,
-- Sent via pgsql-hackers mailing list (email@example.com) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers