| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Christoph Berg <myon(at)debian(dot)org> |
| Cc: | PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Relaxing SSL key permission checks |
| Date: | 2016-02-18 15:17:49 |
| Message-ID: | 26841.1455808669@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Christoph Berg <myon(at)debian(dot)org> writes:
> Currently the server insists on ssl_key_file's permissions to be 0600
> or less, and be owned by the database user. Debian has been patching
> be-secure.c since forever (the git history goes back to 8.2beta1) to
> relax that to 0640 or less, and owned by root or the database user.
Debian can do that if they like, but it's entirely unacceptable as an
across-the-board patch. Not all systems treat groups as being narrow
domains in which it's okay to assume that group-readable files are
secure enough to be keys. As an example, on OS X user files tend to be
group "staff" or "admin" which'd be close enough to world readable.
We could allow group-readable if we had some way to know whether to
trust the specific group, but I don't think there's any practical
way to do that. System conventions vary too much.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2016-02-18 15:20:56 | Re: Relaxing SSL key permission checks |
| Previous Message | Constantin S. Pan | 2016-02-18 15:10:59 | Re: [WIP] speeding up GIN build with parallel workers |