Allow root ownership of client certificate key

From: David Steele <david(at)pgmasters(dot)net>
To: PostgreSQL Developers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject: Allow root ownership of client certificate key
Date: 2021-10-22 15:41:21
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers


I noticed recently that permissions checking is done differently for the
server certificate key than the client key. Specifically, on the server
the key can have 640 perms if it is owned by root.

On the server side this change was made in 9a83564c and I think the same
rational applies equally well to the client key. At the time managed
keys on the client may not have been common but they are now.

Attached is a patch to make this change.

I was able to this this manually by hacking like so:

- chmod 0640, "ssl/${key}_tmp.key"
+ chmod 0600, "ssl/${key}_tmp.key"
or die "failed to change permissions on ssl/${key}_tmp.key: $!";
- system_or_bail("sudo chown root ssl/${key}_tmp.key");

But this is clearly not going to work for general purpose testing. The
server keys also not tested for root ownership so perhaps we do not need
that here either.

I looked at trying to make this code common between the server and
client but due to the differences in error reporting it seemed like more
trouble than it was worth.


Attachment Content-Type Size
client-key-perm-001.patch text/plain 1.8 KB


Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2021-10-22 15:54:13 Re: Experimenting with hash tables inside pg_dump
Previous Message Stephen Frost 2021-10-22 15:36:37 Re: XTS cipher mode for cluster file encryption