| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Martin Pitt" <mpitt(at)debian(dot)org> |
| Cc: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: BUG #1963: SSL certificate permission check is too strict |
| Date: | 2005-10-14 15:38:38 |
| Message-ID: | 10226.1129304318@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
"Martin Pitt" <mpitt(at)debian(dot)org> writes:
> Currently the postmaster requires the private SSL key file to have the same
> owner as the postmaster, and no permissions for group and others. However,
> this is too strict to sensibly use the certificate with ACLs, which permits
> other server processes to share it.
> In Debian I applied a patch which relaxes the check a bit: in addition to
> the currently allowed permissions, the file might be:
> - owned by root
> - group-readable if the file is in group root or the postmaster group.
This was proposed and rejected before --- it's not clear why it's a good
idea to share a private key file with other servers, and even less clear
why it'd be a good idea to have such a file be group-readable by a large
group.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jorge Mario Valencia | 2005-10-14 15:41:17 | BUG #1968: bad end of file |
| Previous Message | Bruce Momjian | 2005-10-14 15:29:30 | Re: Bug#333854: pg_group file update problems |