Re: Relaxing SSL key permission checks

From: Andres Freund <andres(at)anarazel(dot)de>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Christoph Berg <myon(at)debian(dot)org>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Relaxing SSL key permission checks
Date: 2016-02-18 15:43:26
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

On 2016-02-18 10:17:49 -0500, Tom Lane wrote:
> Christoph Berg <myon(at)debian(dot)org> writes:
> > Currently the server insists on ssl_key_file's permissions to be 0600
> > or less, and be owned by the database user. Debian has been patching
> > be-secure.c since forever (the git history goes back to 8.2beta1) to
> > relax that to 0640 or less, and owned by root or the database user.
> Debian can do that if they like, but it's entirely unacceptable as an
> across-the-board patch. Not all systems treat groups as being narrow
> domains in which it's okay to assume that group-readable files are
> secure enough to be keys. As an example, on OS X user files tend to be
> group "staff" or "admin" which'd be close enough to world readable.
> We could allow group-readable if we had some way to know whether to
> trust the specific group, but I don't think there's any practical
> way to do that. System conventions vary too much.

Isn't that a bit overly restrictive? Asking users to patch out checks,
for perfectly reasonable configurations, strikes me as a bit unbalanced.
There's never reasons to make the file world read/writable; but there
seem to be plenty of scenarios where the file should be read/writable by
specific groups. We don't prevent the user from making the
configuration file world-writable either, so there's not really that
much of a security benefit of being overly restrictive with other
parameters - you can just ocnfigure an archive command of your choosing
and such.


In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Alexander Korotkov 2016-02-18 15:51:24 Re: WIP: Access method extendability
Previous Message Tom Lane 2016-02-18 15:34:36 Re: Relaxing SSL key permission checks