Re: Relaxing SSL key permission checks

From: Christoph Berg <myon(at)debian(dot)org>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Bruce Momjian <bruce(at)momjian(dot)us>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Relaxing SSL key permission checks
Date: 2016-02-19 11:53:34
Message-ID: 20160219115334.GB26862@msg.df7cb.de
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Re: Tom Lane 2016-02-18 <27423(dot)1455809676(at)sss(dot)pgh(dot)pa(dot)us>
> I did have a thought though: could we allow two distinct permissions
> configurations? That is, allow either:
>
> * file is owned by us, mode 0600 or less
>
> * file is owned by root, mode 0640 or less
>
> The first case is what we allow today. (We don't need an explicit
> ownership check; if the mode is 0600 and we can read it, we must be
> the owner.) The second case is what Debian wants. We already know
> we are not root, so if we can read the file, we must be part of the
> group that root has allowed to read the file, and at that point it's
> on root's head whether or not that group is secure. I don't have a
> problem with trusting root's judgment on security matters --- if the
> root admin is incompetent, there are probably holes everywhere anyway.

Makes sense to me.

> The problem with the proposed patch is that it's conflating these
> distinct cases, but that's easily fixed.

Updated patch attached.

Christoph
--
cb(at)df7cb(dot)de | http://www.df7cb.de/

Attachment Content-Type Size
ssl_key_permissions.patch text/x-diff 2.2 KB

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Andres Freund 2016-02-19 12:18:00 Re: checkpointer continuous flushing - V16
Previous Message Pavel Stehule 2016-02-19 11:07:26 Re: proposal: function parse_ident