Bruce Momjian <br...@momjian.us> writes: > On Thu, Feb 18, 2016 at 10:17:49AM -0500, Tom Lane wrote: >> We could allow group-readable if we had some way to know whether to >> trust the specific group, but I don't think there's any practical >> way to do that. System conventions vary too much.
> Should we have a GUC to control the group permissions restriction? I > can certainly see value in allowing for group access to the certificate. Meh ... I think such a GUC would mostly be a way to shoot yourself in the foot. (For example, imagine an OS X user who sets it to "staff" instead of doing the right thing and adjusting the file's permissions.) I did have a thought though: could we allow two distinct permissions configurations? That is, allow either: * file is owned by us, mode 0600 or less * file is owned by root, mode 0640 or less The first case is what we allow today. (We don't need an explicit ownership check; if the mode is 0600 and we can read it, we must be the owner.) The second case is what Debian wants. We already know we are not root, so if we can read the file, we must be part of the group that root has allowed to read the file, and at that point it's on root's head whether or not that group is secure. I don't have a problem with trusting root's judgment on security matters --- if the root admin is incompetent, there are probably holes everywhere anyway. The problem with the proposed patch is that it's conflating these distinct cases, but that's easily fixed. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers