From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | David Steele <david(at)pgmasters(dot)net>, PostgreSQL Developers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
Subject: | Re: Allow root ownership of client certificate key |
Date: | 2022-03-01 03:15:16 |
Message-ID: | 2770813.1646104516@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Stephen Frost <sfrost(at)snowman(dot)net> writes:
> * Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
>> I'd be more eager to do that if we had some field complaints
>> about it. Since we don't, my inclination is not to, but I'm
>> only -0.1 or so; anybody else want to vote?
> This patch was specifically developed in response to field complaints
> about it working differently, so there's that.
Hmm ... I didn't recall seeing any on the lists, but a bit of archive
searching found
https://www.postgresql.org/message-id/flat/20170213184323.6099.18278%40wrigleys.postgresql.org
wherein we'd considered the idea and rejected it, or at least decided
that we wanted finer-grained control than the server side needs.
So that's *a* field complaint. But are we still worried about the
concerns that were raised there?
Re-reading, it looks like the submitter then wanted us to just drop the
prohibition of group-readability without tying it to root ownership,
which I feel would indeed be pretty dangerous given how many systems have
groups like "users". But I don't think root-owned-group-readable is such
a problem: if you can create such a file then you can make one owned by
the calling user, too.
Anyway, I'd be happier about back-patching if we could document
actual requests to make it work like the server side does.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Michael Paquier | 2022-03-01 04:18:23 | Re: PATCH: add "--config-file=" option to pg_rewind |
Previous Message | Greg Stark | 2022-03-01 02:45:19 | Re: Removing unneeded self joins |