| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | David Steele <david(at)pgmasters(dot)net> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, PostgreSQL Developers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Allow root ownership of client certificate key |
| Date: | 2022-02-28 19:20:03 |
| Message-ID: | 2695417.1646076003@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
David Steele <david(at)pgmasters(dot)net> writes:
> [ client-key-perm-003.patch ]
Pushed with a bit of copy-editing of the comments.
> So, to test the new functionality, just add this snippet on line 57 of
> 001_ssltests.pl:
> chmod 0640, "$cert_tempdir/client.key"
> or die "failed to change permissions on $cert_tempdir/client.key: $!";
> system_or_bail("sudo chown root $cert_tempdir/client.key");
> If you can think of a way to add this to the tests I'm all ears. Perhaps
> we could add these lines commented out and explain what they are for?
I believe we have some precedents for invoking this sort of test
optionally if an appropriate environment variable is set. However,
I'm having a pretty hard time seeing that there's any real use-case
for a test set up like this. The TAP tests are meant for automatic
testing, and nobody is going to run automatic tests in an environment
where they'd be allowed to sudo. (Or at least I sure hope nobody
working on this project is that naive.)
If somebody wants to put this in despite that, I'd merely suggest
that the server-side logic ought to get exercised too.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Brar Piening | 2022-02-28 19:41:13 | Re: Add id's to various elements in protocol.sgml |
| Previous Message | Stephen Frost | 2022-02-28 19:09:23 | Re: CREATEROLE and role ownership hierarchies |