|From:||Christoph Berg <myon(at)debian(dot)org>|
|To:||Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>|
|Cc:||Bruce Momjian <bruce(at)momjian(dot)us>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>|
|Subject:||Re: Relaxing SSL key permission checks|
|Views:||Raw Message | Whole Thread | Download mbox|
Re: Tom Lane 2016-02-18 <27423(dot)1455809676(at)sss(dot)pgh(dot)pa(dot)us>
> I did have a thought though: could we allow two distinct permissions
> configurations? That is, allow either:
> * file is owned by us, mode 0600 or less
> * file is owned by root, mode 0640 or less
> The first case is what we allow today. (We don't need an explicit
> ownership check; if the mode is 0600 and we can read it, we must be
> the owner.) The second case is what Debian wants. We already know
> we are not root, so if we can read the file, we must be part of the
> group that root has allowed to read the file, and at that point it's
> on root's head whether or not that group is secure. I don't have a
> problem with trusting root's judgment on security matters --- if the
> root admin is incompetent, there are probably holes everywhere anyway.
Makes sense to me.
> The problem with the proposed patch is that it's conflating these
> distinct cases, but that's easily fixed.
Updated patch attached.
cb(at)df7cb(dot)de | http://www.df7cb.de/
|Next Message||Andres Freund||2016-02-19 12:18:00||Re: checkpointer continuous flushing - V16|
|Previous Message||Pavel Stehule||2016-02-19 11:07:26||Re: proposal: function parse_ident|