| From: | Martin Pitt <mpitt(at)debian(dot)org> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: BUG #1963: SSL certificate permission check is too strict |
| Date: | 2005-10-16 09:45:20 |
| Message-ID: | 20051016094520.GC20451@box79162.elkhouse.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Hi Tom!
Tom Lane [2005-10-16 0:41 -0400]:
> Martin Pitt <mpitt(at)debian(dot)org> writes:
> > At least the certificate could be permitted to be owned/in group root.
> > I cannot see how this should weaken the certificate's security.
>
> Postgres doesn't run as root, hence could not use such a certificate
> unless it was world-readable.
Please see my original mail. If you use ACLs, postgres can very well
be able to read the certificate.
The point was that a key's security is not weakened if it is owned by
root instead of "postgres" - to the contrary. So I don't see the point
of the check that actively prohibits a key being owned by root.
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian Developer http://www.debian.org
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Klint Gore | 2005-10-17 00:44:15 | Re: BUG #1956: Plpgsql top-level DECLARE does not share scope |
| Previous Message | Tom Lane | 2005-10-16 04:41:04 | Re: BUG #1963: SSL certificate permission check is too strict |