Re: Relaxing SSL key permission checks

Bruce Momjian <bruce(at)momjian(dot)us> writes:
> On Thu, Feb 18, 2016 at 10:17:49AM -0500, Tom Lane wrote:
>> We could allow group-readable if we had some way to know whether to
>> trust the specific group, but I don't think there's any practical
>> way to do that. System conventions vary too much.

> Should we have a GUC to control the group permissions restriction? I
> can certainly see value in allowing for group access to the certificate.

Meh ... I think such a GUC would mostly be a way to shoot yourself in
the foot. (For example, imagine an OS X user who sets it to "staff"
instead of doing the right thing and adjusting the file's permissions.)

I did have a thought though: could we allow two distinct permissions
configurations? That is, allow either:

* file is owned by us, mode 0600 or less

* file is owned by root, mode 0640 or less

The first case is what we allow today. (We don't need an explicit
ownership check; if the mode is 0600 and we can read it, we must be
the owner.) The second case is what Debian wants. We already know
we are not root, so if we can read the file, we must be part of the
group that root has allowed to read the file, and at that point it's
on root's head whether or not that group is secure. I don't have a
problem with trusting root's judgment on security matters --- if the
root admin is incompetent, there are probably holes everywhere anyway.

The problem with the proposed patch is that it's conflating these
distinct cases, but that's easily fixed.

regards, tom lane