| From: | "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Andres Freund <andres(at)anarazel(dot)de>, Christoph Berg <myon(at)debian(dot)org>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Relaxing SSL key permission checks |
| Date: | 2016-02-19 04:55:36 |
| Message-ID: | 56C6A048.2030404@commandprompt.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 02/18/2016 08:22 PM, Tom Lane wrote:
> Now, I have heard it argued that the OpenSSH/L authors are a bunch of
> idiots who know nothing about security. But it's not like insisting
> on restrictive permissions on key files is something we invented out
> of the blue. It's pretty standard practice, AFAICT.
>
> regards, tom lane
I think Tom has the right compromise. It must be 0600 for us, and 0640
or less for root. That opens up the ability for other systems to have
what it needs (although I am unsure of how Windows handles this) and
allows us to keep a modicum of self respect in terms of what we allow.
Sincerely,
JD
--
Command Prompt, Inc. http://the.postgres.company/
+1-503-667-4564
PostgreSQL Centered full stack support, consulting and development.
Everyone appreciates your honesty, until you are honest with them.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Amit Kapila | 2016-02-19 05:20:25 | Re: Typo in bufmgr.c that result in waste of memory |
| Previous Message | Tom Lane | 2016-02-19 04:22:01 | Re: Relaxing SSL key permission checks |