On 2016-02-18 10:17:49 -0500, Tom Lane wrote: > Christoph Berg <m...@debian.org> writes: > > Currently the server insists on ssl_key_file's permissions to be 0600 > > or less, and be owned by the database user. Debian has been patching > > be-secure.c since forever (the git history goes back to 8.2beta1) to > > relax that to 0640 or less, and owned by root or the database user. > > Debian can do that if they like, but it's entirely unacceptable as an > across-the-board patch. Not all systems treat groups as being narrow > domains in which it's okay to assume that group-readable files are > secure enough to be keys. As an example, on OS X user files tend to be > group "staff" or "admin" which'd be close enough to world readable. > > We could allow group-readable if we had some way to know whether to > trust the specific group, but I don't think there's any practical > way to do that. System conventions vary too much.
Isn't that a bit overly restrictive? Asking users to patch out checks, for perfectly reasonable configurations, strikes me as a bit unbalanced. There's never reasons to make the file world read/writable; but there seem to be plenty of scenarios where the file should be read/writable by specific groups. We don't prevent the user from making the configuration file world-writable either, so there's not really that much of a security benefit of being overly restrictive with other parameters - you can just ocnfigure an archive command of your choosing and such. Andres -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers