Skip site navigation (1) Skip section navigation (2)

Re: BUG #3809: SSL "unsafe" private key permissions bug

From: Bruce Momjian <bruce(at)momjian(dot)us>
To: Martin Pitt <martin(at)piware(dot)de>
Cc: pgsql-bugs(at)postgresql(dot)org
Subject: Re: BUG #3809: SSL "unsafe" private key permissions bug
Date: 2007-12-16 10:37:05
Message-ID: 200712161037.lBGAb5P07573@momjian.us (view raw or flat)
Thread:
Lists: pgsql-bugs
Agreed.  Let's look this over again in 8.4.  I am feeling our
restrictions are making things _less_ secure sometimes.

This has been saved for the 8.4 release:

	http://momjian.postgresql.org/cgi-bin/pgpatches_hold

---------------------------------------------------------------------------

Martin Pitt wrote:
-- Start of PGP signed section.
> Hi,
> 
> Simon Arlott [2007-12-08 12:24 +0000]:
> > Bug reference:      3809
> > Logged by:          Simon Arlott
> > Email address:      postgresql(dot)simon(at)arlott(dot)org
> > PostgreSQL version: 8.2.4
> > Operating system:   Linux 2.6.23
> > Description:        SSL "unsafe" private key permissions bug
> > Details: 
> > 
> > FATAL:  unsafe permissions on private key file "server.key"
> > DETAIL:  File must be owned by the database user and must have no
> > permissions for "group" or "other".
> > 
> > It should be possible to disable this check in the configuration, so those
> > of us capable of deciding what's unsafe can do so.
> 
> For the same reason Debian/Ubuntu have modified this check ages ago,
> to also allow for keys which are owned by root and readable by a
> particular group. A lot of our users want to share a common SSL
> cert/key between all servers, and the upstream check makes this
> impossible. (Ubuntu sets up all server packages in a way that they all
> share a common SSL key called "snakeoil" which is generated on system
> installation. By merely replacing this with a real one, your box
> becomes sanely configured without fiddling with any configuration
> files.)
> 
> I already proposed this patch two times, but it has been rejected so
> far unfortunately. But maybe it's useful for you.
> 
> Martin
> 
> -- 
> Martin Pitt        http://www.piware.de
> Ubuntu Developer   http://www.ubuntu.com
> Debian Developer   http://www.debian.org

-- End of PGP section, PGP failed!

-- 
  Bruce Momjian  <bruce(at)momjian(dot)us>        http://momjian.us
  EnterpriseDB                             http://postgres.enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +

In response to

pgsql-bugs by date

Next:From: Dave PageDate: 2007-12-16 10:53:06
Subject: Re: BUG #3808: Connections stays open in stateCLOSE_WAIT
Previous:From: Bruce MomjianDate: 2007-12-16 10:08:17
Subject: Re: BUG #3808: Connections stays open in state CLOSE_WAIT

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group