From: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Christoph Berg <myon(at)debian(dot)org> |
Cc: | PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Relaxing SSL key permission checks |
Date: | 2016-02-19 02:13:33 |
Message-ID: | 56C67A4D.9090709@gmx.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 2/18/16 10:17 AM, Tom Lane wrote:
> Christoph Berg <myon(at)debian(dot)org> writes:
>> Currently the server insists on ssl_key_file's permissions to be 0600
>> or less, and be owned by the database user. Debian has been patching
>> be-secure.c since forever (the git history goes back to 8.2beta1) to
>> relax that to 0640 or less, and owned by root or the database user.
>
> Debian can do that if they like, but it's entirely unacceptable as an
> across-the-board patch. Not all systems treat groups as being narrow
> domains in which it's okay to assume that group-readable files are
> secure enough to be keys. As an example, on OS X user files tend to be
> group "staff" or "admin" which'd be close enough to world readable.
>
> We could allow group-readable if we had some way to know whether to
> trust the specific group, but I don't think there's any practical
> way to do that. System conventions vary too much.
Wouldn't POSIX ACLs bypass this anyway?
From | Date | Subject | |
---|---|---|---|
Next Message | Peter Eisentraut | 2016-02-19 02:51:26 | Re: exposing pg_controldata and pg_config as functions |
Previous Message | Stephen Frost | 2016-02-19 01:31:25 | Re: Relaxing SSL key permission checks |