Re: Relaxing SSL key permission checks

* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Andres Freund <andres(at)anarazel(dot)de> writes:
> > ... We don't prevent the user from making the
> > configuration file world-writable either,
>
> Maybe we should. It wasn't an issue originally, because the config files
> were necessarily inside $PGDATA which we restrict permissions on. But
> these days you can place the config files in places where untrustworthy
> people could get at them.

No, we should be improving our support of systems which provide more
specific groups, not destroying it. Being able to run backups as a user
who is not able to modify the database would be great too, and that case
isn't covered by your approach to "allow group rights if the file is
owned by root."

Further, the notion that *this* is the footgun is completely off the
reservation- if the files have been changed to allow untrusted users to
have access to them, there isn't diddly we can do about it. All we're
doing with this is imposing our own idea of what the system policy
should be, even though there are clear examples where that's just
blatently wrong.

If we really want to force these checks to happen (and I'm not
convinced that they're actually useful at all), then we need to provide
a way for users and distributions to control the specifics of the checks
as they chose. Maybe that's a command-line switch instead of a GUC, or
it's something else, but there clearly isn't "one true way" here and we
should be flexible.

Thanks!

Stephen