Re: Allow root ownership of client certificate key

From: David Steele <david(at)pgmasters(dot)net>
To: PostgreSQL Developers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject: Re: Allow root ownership of client certificate key
Date: 2021-10-28 13:08:38
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

On 10/22/21 11:41 AM, David Steele wrote:
> I noticed recently that permissions checking is done differently for the
> server certificate key than the client key. Specifically, on the server
> the key can have 640 perms if it is owned by root.
> On the server side this change was made in 9a83564c and I think the same
> rational applies equally well to the client key. At the time managed
> keys on the client may not have been common but they are now.
> Attached is a patch to make this change.
> I was able to this this manually by hacking like so:
> -    chmod 0640, "ssl/${key}_tmp.key"
> +    chmod 0600, "ssl/${key}_tmp.key"
>        or die "failed to change permissions on ssl/${key}_tmp.key: $!";
> -    system_or_bail("sudo chown root ssl/${key}_tmp.key");
> But this is clearly not going to work for general purpose testing. The
> server keys also not tested for root ownership so perhaps we do not need
> that here either.
> I looked at trying to make this code common between the server and
> client but due to the differences in error reporting it seemed like more
> trouble than it was worth.

Added to next CF:


In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Arne Roland 2021-10-28 13:44:31 Re: missing indexes in indexlist with partitioned tables
Previous Message Amul Sul 2021-10-28 12:58:41 Correct error message for end-of-recovery record TLI