From: | Martin Pitt <martin(at)piware(dot)de> |
---|---|
To: | pgsql-bugs(at)postgresql(dot)org |
Subject: | Re: BUG #3809: SSL "unsafe" private key permissions bug |
Date: | 2007-12-09 10:43:48 |
Message-ID: | 20071209104348.GA11651@piware.de |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
Hi,
Simon Arlott [2007-12-08 12:24 +0000]:
> Bug reference: 3809
> Logged by: Simon Arlott
> Email address: postgresql(dot)simon(at)arlott(dot)org
> PostgreSQL version: 8.2.4
> Operating system: Linux 2.6.23
> Description: SSL "unsafe" private key permissions bug
> Details:
>
> FATAL: unsafe permissions on private key file "server.key"
> DETAIL: File must be owned by the database user and must have no
> permissions for "group" or "other".
>
> It should be possible to disable this check in the configuration, so those
> of us capable of deciding what's unsafe can do so.
For the same reason Debian/Ubuntu have modified this check ages ago,
to also allow for keys which are owned by root and readable by a
particular group. A lot of our users want to share a common SSL
cert/key between all servers, and the upstream check makes this
impossible. (Ubuntu sets up all server packages in a way that they all
share a common SSL key called "snakeoil" which is generated on system
installation. By merely replacing this with a real one, your box
becomes sanely configured without fiddling with any configuration
files.)
I already proposed this patch two times, but it has been rejected so
far unfortunately. But maybe it's useful for you.
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
Attachment | Content-Type | Size |
---|---|---|
07-relax-sslkey-permscheck.patch | text/x-diff | 1.2 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Michael Glaesemann | 2007-12-09 13:18:01 | Re: BUG #3811: Getting multiple values from a sequence generator |
Previous Message | Adriaan van Os | 2007-12-09 09:24:34 | BUG #3811: Getting multiple values from a sequence generator |