| From: | Christoph Berg <myon(at)debian(dot)org> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Bruce Momjian <bruce(at)momjian(dot)us>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Relaxing SSL key permission checks |
| Date: | 2016-02-19 11:53:34 |
| Message-ID: | 20160219115334.GB26862@msg.df7cb.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Re: Tom Lane 2016-02-18 <27423(dot)1455809676(at)sss(dot)pgh(dot)pa(dot)us>
> I did have a thought though: could we allow two distinct permissions
> configurations? That is, allow either:
>
> * file is owned by us, mode 0600 or less
>
> * file is owned by root, mode 0640 or less
>
> The first case is what we allow today. (We don't need an explicit
> ownership check; if the mode is 0600 and we can read it, we must be
> the owner.) The second case is what Debian wants. We already know
> we are not root, so if we can read the file, we must be part of the
> group that root has allowed to read the file, and at that point it's
> on root's head whether or not that group is secure. I don't have a
> problem with trusting root's judgment on security matters --- if the
> root admin is incompetent, there are probably holes everywhere anyway.
Makes sense to me.
> The problem with the proposed patch is that it's conflating these
> distinct cases, but that's easily fixed.
Updated patch attached.
Christoph
--
cb(at)df7cb(dot)de | http://www.df7cb.de/
| Attachment | Content-Type | Size |
|---|---|---|
| ssl_key_permissions.patch | text/x-diff | 2.2 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2016-02-19 12:18:00 | Re: checkpointer continuous flushing - V16 |
| Previous Message | Pavel Stehule | 2016-02-19 11:07:26 | Re: proposal: function parse_ident |