[pgadmin-hackers] file permission on ssl key

[Jeroen Jacobs]

Hi,

I'm getting this error when I try to configure ssl with postgres:

pr 23 13:12:47 pgmaster01 pg_ctl: FATAL:  private key file 
"/etc/ssl/pgmaster01-key.pem" has group or world access
Apr 23 13:12:47 pgmaster01 pg_ctl: DETAIL:  Permissions should be u=rw (0600) 
or less.

The actual permission is:

centos@pgmaster01 ~]$ ls -l /etc/ssl/pgmaster01-key.pem
-r--r- 1 root ssl-read 3243 Apr 23 00:00 /etc/ssl/pgmaster01-key.pem

postgres user is part of the ssl-read group. Thi ssl key is shared with other 
software as well, so giving exclusive access to the postgres user is NOT an 
option.

I understand why postgres complains, but I'm pretty sure about what I'm doing 
here. How can I tell postgres to start anyway, even when it doesn't like those 
permissions? There should be a way to override this, I'm the admin here, it's 
up to me to decide to implement my security setup, not the software itself.

So basically I have three options:

- don't use ssl at all (not an option at all, actually)
- create a separate copy of my ssl key file with the correct permissions that 
postgres likes (ugly workaround)
- use another database server which allows me to configure it how I want it.


I'm actually considering settling for the last solution, due to this crazy 
restriction you put in place...


Regards,

Jeroen.

Re: [pgadmin-hackers] file permission on ssl key

[Ashesh Vashi]

Hi Jeroen,

This is pgAdmin hackers list.
Please send mail to pgsql-gene...@postgresql.org mailing list for your
postgresql related queries.

--

Thanks & Regards,

Ashesh Vashi
EnterpriseDB INDIA: Enterprise PostgreSQL Company



*http://www.linkedin.com/in/asheshvashi*


On Sun, Apr 23, 2017 at 11:25 PM, Jeroen Jacobs <
jeroen.jac...@headincloud.be> wrote:

> Hi,
>
> I'm getting this error when I try to configure ssl with postgres:
>
> pr 23 13:12:47 pgmaster01 pg_ctl: FATAL:  private key file
> "/etc/ssl/pgmaster01-key.pem" has group or world access
> Apr 23 13:12:47 pgmaster01 pg_ctl: DETAIL:  Permissions should be u=rw
> (0600) or less.
>
> The actual permission is:
>
> centos@pgmaster01 ~]$ ls -l /etc/ssl/pgmaster01-key.pem
> -r--r- 1 root ssl-read 3243 Apr 23 00:00 /etc/ssl/pgmaster01-key.pem
>
> postgres user is part of the ssl-read group. Thi ssl key is shared with
> other software as well, so giving exclusive access to the postgres user is
> NOT an option.
>
> I understand why postgres complains, but I'm pretty sure about what I'm
> doing here. How can I tell postgres to start anyway, even when it doesn't
> like those permissions? There should be a way to override this, I'm the
> admin here, it's up to me to decide to implement my security setup, not the
> software itself.
>
> So basically I have three options:
>
> - don't use ssl at all (not an option at all, actually)
> - create a separate copy of my ssl key file with the correct permissions
> that postgres likes (ugly workaround)
> - use another database server which allows me to configure it how I want
> it.
>
> I'm actually considering settling for the last solution, due to this crazy
> restriction you put in place...
>
>
> Regards,
>
> Jeroen.
>

[pgadmin-hackers] pgAdmin 4 commit: [Configuration][Migration] Use 'alembic' for migratio

[Ashesh Vashi]

[Configuration][Migration] Use 'alembic' for migration of the SQLite
based configuration file from one version to another, and also allows us
to have a single path of creating the table instead of creating tables
using SQLAlchemy or hand rolled SQL

This allows us to run the migrations directly in the code, and it will
avoid the error prone version numbering.

Patched by: Sarah McAlear
Revisions: Joao Pedro De Almeida Pereira, George Gelashvili.
Reviewed by: Ashesh Vashi, Murtuza Zabuawala

Branch
--
master

Details
---
https://git.postgresql.org/gitweb?p=pgadmin4.git;a=commitdiff;h=6283ef7f5e4379d5e2202ca2919b9ea76caf57c7
Author: Sarah McAlear 

Modified Files
--
README   |  16 ++
web/migrations/alembic.ini   |  54 
web/migrations/env.py|  94 +++
web/migrations/script.py.mako|  33 +++
web/migrations/versions/09d53fca90c7_.py | 242 +
web/migrations/versions/fdc58d9bd449_.py | 128 +
web/pgAdmin4.py  |  11 -
web/pgAdmin4.wsgi|  20 ++
web/pgadmin/__init__.py  |  42 +--
web/pgadmin/setup/__init__.py|  13 +
web/pgadmin/setup/data_directory.py  |  32 +++
web/pgadmin/setup/db_upgrade.py  |  25 ++
web/pgadmin/setup/db_version.py  |  28 ++
web/pgadmin/setup/user_info.py   |  72 +
web/setup.py | 439 +--
15 files changed, 779 insertions(+), 470 deletions(-)


-- 
Sent via pgadmin-hackers mailing list (pgadmin-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgadmin-hackers

Re: [pgadmin-hackers][patch] Move to Alembic migration system

[Ashesh Vashi]

On Fri, Apr 21, 2017 at 7:59 PM, Joao Pedro De Almeida Pereira <
jdealmeidapere...@pivotal.io> wrote:

> Hello Hackers,
>
> We review the patch, just noticed a spelling issue so we regenerated the
> patch.
>
Thanks.
Your patch was missing README changes. :-)

Committed after adding the necessary changes.

-- Thanks,
Ashesh Vashi


>
> Thanks
> Joao & Oliver
>
> On Fri, Apr 21, 2017 at 1:21 AM, Ashesh Vashi <
> ashesh.va...@enterprisedb.com> wrote:
>
>> Hi Joao & Oliver,
>>
>> On Fri, Apr 21, 2017 at 3:39 AM, Joao Pedro De Almeida Pereira <
>> jdealmeidapere...@pivotal.io> wrote:
>>
>>> Hello Hackers,
>>>
>>> @Ashesh thanks for the feedback
>>>
>>> Here is the reviewed patch with the suggestions of Ashesh.
>>>
>>> Disclaimer: We added a new patch file with the changes
>>>
>>
>> I have made some more changes to the patch.
>> - 'with app.app_context(..)' statement was not required in the
>> 'web/pgadmin/__init__.py' as we're already doing that in the do_upgrade
>> function.
>> - We also need to create other directories (i.e. sessions, storage,
>> directory containing the log-file) during the setup/running the application
>> (if not exists).
>> - Added proper check in the pgAdmin4.wsgi file (if configuration file
>> exists, or not)
>>
>> Please review it.
>>
>> -- Thanks, Ashesh
>>
>>
>

[pgadmin-hackers] [pgAdmin4][PATCH] To fix the issue with Node rename

[Murtuza Zabuawala]

Hi,

PFA minor patch to fix the issue where node rename is not working properly
after 7dd9efd8

commit
.
RM#2355

--
Regards,
Murtuza Zabuawala
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
diff --git a/web/pgadmin/browser/templates/browser/js/browser.js 
b/web/pgadmin/browser/templates/browser/js/browser.js
index a663ae8..aceda92 100644
--- a/web/pgadmin/browser/templates/browser/js/browser.js
+++ b/web/pgadmin/browser/templates/browser/js/browser.js
@@ -1207,10 +1207,8 @@ function(require, $, _, S, Bootstrap, pgAdmin, Alertify, 
CodeMirror) {
 // if label is different then we need to
 // refresh parent so that node get properly
 // placed in tree
-if(this.d.label != this.new.label) {
-  var p = this.t.parent(this.i);
-  pgAdmin.Browser.onRefreshTreeNode(p);
-}
+var is_refresh_required = this.d.label != this.new.label,
+  parent_item = this.t.parent(this.i);
 
 self.t.openPath(self.i);
 self.t.deselect(self.i);
@@ -1218,6 +1216,9 @@ function(require, $, _, S, Bootstrap, pgAdmin, Alertify, 
CodeMirror) {
 // select tree item after few milliseconds
 setTimeout(function() {
   self.t.select(self.i);
+  if (is_refresh_required && parent_item.length) {
+pgAdmin.Browser.onRefreshTreeNode(parent_item);
+  }
 }, 10);
   }
 }

-- 
Sent via pgadmin-hackers mailing list (pgadmin-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgadmin-hackers

Re: [pgadmin-hackers] [GENERAL] pgAdmin4 needs information of v10 SCRAM authentication

[Akshay Joshi]

Hi Michael

On Fri, Apr 21, 2017 at 12:07 PM, Michael Paquier  wrote:

> On Fri, Apr 21, 2017 at 3:27 PM, Akshay Joshi
>  wrote:
> > from passlib.hash import scram
> > hash = scram.encrypt(data['newPassword']) -- This function provide
> password for all the supported digest like [md5, sha-1, sha-256, sha-512].
> Didn't work I have tried with all the passwords.
> > test = scram.extract_digest_info(hash, "sha-256") -- This function
> extract info for specified digest "sha-256". I have retrieve the password
> which was in hexadecimal. Didn't work as well.
> >
> > Now I am stuck here and no clue how to encrypt/decrypt the password for
> SCRAM authentication. Can someone guide me out here.
>
> Here you go:
> https://www.postgresql.org/message-id/76ac7e67-4e3a-f4df-
> e087-fbac90151...@iki.fi


   I have gone through this, but still facing issue to encrypt/change the
database server password. In pgAdmin4 we have "Change Password" feature
where user will enter the old and new password for the database server, now
we will have to encrypt it (in Python) as per SCRAM standards and set it to
the database.

  The example you have given in https://www.postgresql.org/
message-id/76ac7e67-4e3a-f4df-e087-fbac90151...@iki.fi I have below
questions:

   - To encode the password you already have entry from pg_authid table
   which won't be possible for non superuser to access that table. How we can
   get that value from pg_authid table or do we have any other solution to
   this.
   - For constructing  the whole client-final-message, we need to calculate
   * ClientSignature* and *ClientProof*, which depend on the nonces, and is
therefore different on every authentication exchange. How to calculate
   *ClientSignature* and *ClientProof?*

  Can you please guide me here, how can we achieve that in python.

>
> --
> Michael
>



-- 
*Akshay Joshi*
*Principal Software Engineer *



*Phone: +91 20-3058-9517Mobile: +91 976-788-8246*

Re: [pgadmin-hackers] [GENERAL] pgAdmin4 needs information of v10 SCRAM authentication

[Michael Paquier]

On Mon, Apr 24, 2017 at 3:04 PM, Akshay Joshi
 wrote:
>I have gone through this, but still facing issue to encrypt/change the 
> database server password. In pgAdmin4 we have "Change Password" feature where 
> user will enter the old and new password for the database server, now we will 
> have to encrypt it (in Python) as per SCRAM standards and set it to the 
> database.

By using SET password_encryption = 'scram-sha-256' and sending the raw
password you would be able to hash the password correctly. Or you
could just mimic scram_build_password() (routine in Postgres code to
generate that correctly).

>   The example you have given in 
> https://www.postgresql.org/message-id/76ac7e67-4e3a-f4df-e087-fbac90151...@iki.fi
>  I have below questions:
> To encode the password you already have entry from pg_authid table which 
> won't be possible for non superuser to access that table. How we can get that 
> value from pg_authid table or do we have any other solution to this.

I don't understand this question, any user can update this field using
CREATE/ALTER ROLE, and the client has no need to know this value for
the exchange.

> For constructing  the whole client-final-message, we need to calculate  
> ClientSignature and ClientProof, which depend on the nonces, and is  
> therefore different on every authentication exchange. How to calculate 
> ClientSignature and ClientProof?
>   Can you please guide me here, how can we achieve that in python.

You will need a C equivalent of what is proposed in fe-auth-scram.c in
the Postgres code to build the messages that are exchanged from the
server, see particularly calculate_client_proof() which describes step
by step the calculation of the client proof when building the last
message for the client. I didn't check in details, but the routines
are the same as in the message above. The format of the hashed
password has changed a bit since commit 68e61ee though.
-- 
Michael


-- 
Sent via pgadmin-hackers mailing list (pgadmin-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgadmin-hackers