Skip site navigation (1) Skip section navigation (2)

Re: BUG #1963: SSL certificate permission check is too strict

From: Martin Pitt <mpitt(at)debian(dot)org>
To: pgsql-bugs(at)postgresql(dot)org
Subject: Re: BUG #1963: SSL certificate permission check is too strict
Date: 2005-10-14 17:13:35
Message-ID: 20051014171335.GB20581@piware.de (view raw or flat)
Thread:
Lists: pgsql-bugs
Hi Tom!

Tom Lane [2005-10-14 11:38 -0400]:
> "Martin Pitt" <mpitt(at)debian(dot)org> writes:
> > Currently the postmaster requires the private SSL key file to have the same
> > owner as the postmaster, and no permissions for group and others. However,
> > this is too strict to sensibly use the certificate with ACLs, which permits
> > other server processes to share it.
> 
> > In Debian I applied a patch which relaxes the check a bit: in addition to
> > the currently allowed permissions, the file might be:
> >  - owned by root
> >  - group-readable if the file is in group root or the postmaster group.
> 
> This was proposed and rejected before --- it's not clear why it's a good
> idea to share a private key file with other servers, 

On my own boxes I usually create one certificate per box, not per
server. This keeps certificate management easy and avoids redundancy -
why should I create separate certifictates for each server I run? I
want to validate the identity computers with the certificates, nothing
more. This seems to be a common practice.

> and even less clear why it'd be a good idea to have such a file be
> group-readable by a large group.

The group does not need to be big; for sharing certificates, you
basically have two options:

 - Use ACLs; this is a clean way, but not supported by all file
   systems, and even by less backup systems. It does not require
   groups, though.

 - Create a "sslkey" group and add all servers to it that need read
   permission to the certificate.

AIUI this check should prevent admins from accidentially shooting
themselves in the foot, not make it totally impossible to configure
stuff as the admin wants. Or is that wrong?

At least the certificate could be permitted to be owned/in group root.
I cannot see how this should weaken the certificate's security.

Thanks and have a nice weekend!

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

In response to

Responses

pgsql-bugs by date

Next:From: Bruce MomjianDate: 2005-10-14 17:37:56
Subject: Re: [BUGS] Bug#333854: pg_group file update problems
Previous:From: Tom LaneDate: 2005-10-14 17:05:53
Subject: Re: [GENERAL] Postgres logs to syslog LOCAL0

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group