Skip site navigation (1) Skip section navigation (2)

Re: SSL Mode

From: Radoslaw Stachowiak <radek(at)alter(dot)pl>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: postgresql <pgsql-admin(at)postgresql(dot)org>
Subject: Re: SSL Mode
Date: 2002-12-23 20:36:48
Message-ID: 20021223203648.GG3728@blue.alter.pl (view raw or flat)
Thread:
Lists: pgsql-admin
*** Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> [14:45 Mon 23.Dec]:
> Radoslaw Stachowiak <radek(at)alter(dot)pl> writes:
> > and one more suggestion, as this feature is a little bit to strong IMHO.
> 
> > Common practice for such files (private keys) is to make them owned by
> > root user and postgres group with 640 mode.
> 
> I don't think that's either common practice or a good idea.  For one
> thing, it presumes that there *is* a postgres group; which is not a
> requirement we ever had before.  For another, root can read or write the
> file if she chooses regardless of ownership or permissions, so it's not
> like doing it that way gains anything.

not true. as i wrote above, 'root' was just example. its just user which
has right to manage ssl keys. This example can be also 'remapped' to
permission 660 (or 460) where owner is postgres, and group is a special
manage group. Current approach blocks such uses, and forces to use
postgres, means giving more power for task which doesnt require it, and,
whats more important, task which is in fact from other 'problem-space'.

so its not 'complain' with least-privilege rule.

> As a counterexample, on a setup like mine (HP-UX), all normal users are
> members of group "users" and so group readability is not much safer than
> world readability.  If Postgres neglected to complain about mode 640
> then there'd be little point in having a file-security check at all, on
> this system.

although as i pointed earlier, simple 600 check does not give
more security than other schemas which can be deployed on unix
permissions. in fact it can give _false_ sense of security which is
worse.

> IMHO the existing check is just fine, although the complaint message
> could be a lot more specific (it looks to me like three distinctly
> different sanity checks are being folded into one error message :-().

more meaningful message is highly appreciated :)

dont get me wrong, what I like to express is that current schema dont
give more security while blocks some complicated/creative realworld
permission situations.


	.radek.

In response to

Responses

pgsql-admin by date

Next:From: Jie LiangDate: 2002-12-23 21:04:31
Subject: md5 file
Previous:From: Tom LaneDate: 2002-12-23 19:45:59
Subject: Re: SSL Mode

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group