| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Andres Freund <andres(at)anarazel(dot)de>, Christoph Berg <myon(at)debian(dot)org>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Relaxing SSL key permission checks |
| Date: | 2016-02-19 01:15:42 |
| Message-ID: | 16706.1455844542@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Stephen Frost <sfrost(at)snowman(dot)net> writes:
> Further, the notion that *this* is the footgun is completely off the
> reservation- if the files have been changed to allow untrusted users to
> have access to them, there isn't diddly we can do about it.
I completely disagree that those file-permissions checks are useless.
What they accomplish is, if you accidentally set up an insecure key file,
you'll get told about it fairly promptly, and have the opportunity to
either fix the permissions or generate a new key, depending on your
opinion of how likely it is that somebody stole the key already. If we
made no checks then, more than likely, an insecure key file would just
sit there indefinitely, waiting for some passing blackhat to grab it.
We can certainly discuss whether we need more than one model of what
appropriate permissions are, but I do not believe that "rip out the
check" is a helpful answer.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2016-02-19 01:31:25 | Re: Relaxing SSL key permission checks |
| Previous Message | Michael Paquier | 2016-02-19 01:08:35 | Re: WIP: Access method extendability |