| From: | David Steele <david(at)pgmasters(dot)net> |
|---|---|
| To: | PostgreSQL Developers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Allow root ownership of client certificate key |
| Date: | 2021-10-22 15:41:21 |
| Message-ID: | f4b7bc55-97ac-9e69-7398-335e212f7743@pgmasters.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hackers,
I noticed recently that permissions checking is done differently for the
server certificate key than the client key. Specifically, on the server
the key can have 640 perms if it is owned by root.
On the server side this change was made in 9a83564c and I think the same
rational applies equally well to the client key. At the time managed
keys on the client may not have been common but they are now.
Attached is a patch to make this change.
I was able to this this manually by hacking 001_ssltests.pl like so:
- chmod 0640, "ssl/${key}_tmp.key"
+ chmod 0600, "ssl/${key}_tmp.key"
or die "failed to change permissions on ssl/${key}_tmp.key: $!";
- system_or_bail("sudo chown root ssl/${key}_tmp.key");
But this is clearly not going to work for general purpose testing. The
server keys also not tested for root ownership so perhaps we do not need
that here either.
I looked at trying to make this code common between the server and
client but due to the differences in error reporting it seemed like more
trouble than it was worth.
Regards,
--
-David
david(at)pgmasters(dot)net
| Attachment | Content-Type | Size |
|---|---|---|
| client-key-perm-001.patch | text/plain | 1.8 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2021-10-22 15:54:13 | Re: Experimenting with hash tables inside pg_dump |
| Previous Message | Stephen Frost | 2021-10-22 15:36:37 | Re: XTS cipher mode for cluster file encryption |