Re: Tom Lane 2016-02-18 <27423.1455809...@sss.pgh.pa.us>
> I did have a thought though: could we allow two distinct permissions
> configurations? That is, allow either:
>
> * file is owned by us, mode 0600 or less
>
> * file is owned by root, mode 0640 or less
>
> The first case is what we allow today. (We don't need an explicit
> ownership check; if the mode is 0600 and we can read it, we must be
> the owner.) The second case is what Debian wants. We already know
> we are not root, so if we can read the file, we must be part of the
> group that root has allowed to read the file, and at that point it's
> on root's head whether or not that group is secure. I don't have a
> problem with trusting root's judgment on security matters --- if the
> root admin is incompetent, there are probably holes everywhere anyway.
Makes sense to me.
> The problem with the proposed patch is that it's conflating these
> distinct cases, but that's easily fixed.
Updated patch attached.
Christoph
--
c...@df7cb.de | http://www.df7cb.de/
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
new file mode 100644
index 1e3dfb6..1f61601
*** a/src/backend/libpq/be-secure-openssl.c
--- b/src/backend/libpq/be-secure-openssl.c
*************** be_tls_init(void)
*** 207,213 ****
ssl_key_file)));
/*
! * Require no public access to key file.
*
* XXX temporarily suppress check when on Windows, because there may
* not be proper support for Unix-y file permissions. Need to think
--- 207,217 ----
ssl_key_file)));
/*
! * Require no public access to key file. If the file is owned by us,
! * require mode 0600 or less. If owned by root, require 0640 or less
! * to allow read access through our gid, or a supplementary gid that
! * allows to read system-wide certificates. Refuse to load files owned
! * by other users.
*
* XXX temporarily suppress check when on Windows, because there may
* not be proper support for Unix-y file permissions. Need to think
*************** be_tls_init(void)
*** 215,226 ****
* directory permission check in postmaster.c)
*/
#if !defined(WIN32) && !defined(__CYGWIN__)
! if (!S_ISREG(buf.st_mode) || buf.st_mode & (S_IRWXG | S_IRWXO))
ereport(FATAL,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("private key file \"%s\" has group or world access",
ssl_key_file),
! errdetail("Permissions should be u=rw (0600) or less.")));
#endif
if (SSL_CTX_use_PrivateKey_file(SSL_context,
--- 219,233 ----
* directory permission check in postmaster.c)
*/
#if !defined(WIN32) && !defined(__CYGWIN__)
! if (!S_ISREG(buf.st_mode) ||
! (buf.st_uid == geteuid() && buf.st_mode & (S_IRWXGRP | S_IRWXO)) ||
! (buf.st_uid == 0 && buf.st_mode & (S_IWXGRP | S_IRWXO)) ||
! (buf.st_uid != geteuid() && buf.st_uid != 0))
ereport(FATAL,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("private key file \"%s\" has group or world access",
ssl_key_file),
! errdetail("File must be owned by the database user and have permissions u=rw (0600) or less, or owned by root and have permissions u=rw,g=w (0640) or less.")));
#endif
if (SSL_CTX_use_PrivateKey_file(SSL_context,
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
