Re: To Tom Lane 2016-02-19 <20160219115334.gb26...@msg.df7cb.de>
> Updated patch attached.
*Blush* I though I had compile-tested the patch, but without
--enable-openssl it wasn't built :(.
The attached patch has successfully been included in the 9.6 Debian
package, passed the regression tests there, and I've also done some
chmod/chown tests on the filesystem to verify it indeed catches the
cases laid out by Tom.
Christoph
--
c...@df7cb.de | http://www.df7cb.de/
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
new file mode 100644
index 1e3dfb6..a6c4ba0
*** a/src/backend/libpq/be-secure-openssl.c
--- b/src/backend/libpq/be-secure-openssl.c
*************** be_tls_init(void)
*** 207,213 ****
ssl_key_file)));
/*
! * Require no public access to key file.
*
* XXX temporarily suppress check when on Windows, because there may
* not be proper support for Unix-y file permissions. Need to think
--- 207,217 ----
ssl_key_file)));
/*
! * Require no public access to key file. If the file is owned by us,
! * require mode 0600 or less. If owned by root, require 0640 or less
! * to allow read access through our gid, or a supplementary gid that
! * allows to read system-wide certificates. Refuse to load files owned
! * by other users.
*
* XXX temporarily suppress check when on Windows, because there may
* not be proper support for Unix-y file permissions. Need to think
*************** be_tls_init(void)
*** 215,226 ****
* directory permission check in postmaster.c)
*/
#if !defined(WIN32) && !defined(__CYGWIN__)
! if (!S_ISREG(buf.st_mode) || buf.st_mode & (S_IRWXG | S_IRWXO))
ereport(FATAL,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("private key file \"%s\" has group or world access",
ssl_key_file),
! errdetail("Permissions should be u=rw (0600) or less.")));
#endif
if (SSL_CTX_use_PrivateKey_file(SSL_context,
--- 219,233 ----
* directory permission check in postmaster.c)
*/
#if !defined(WIN32) && !defined(__CYGWIN__)
! if (!S_ISREG(buf.st_mode) ||
! (buf.st_uid == geteuid() && buf.st_mode & (S_IRWXG | S_IRWXO)) ||
! (buf.st_uid == 0 && buf.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO)) ||
! (buf.st_uid != geteuid() && buf.st_uid != 0))
ereport(FATAL,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("private key file \"%s\" has group or world access",
ssl_key_file),
! errdetail("File must be owned by the database user and have permissions u=rw (0600) or less, or owned by root and have permissions u=rw,g=w (0640) or less.")));
#endif
if (SSL_CTX_use_PrivateKey_file(SSL_context,
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
