| From: | lejeczek <peljasz(at)yahoo(dot)co(dot)uk> |
|---|---|
| To: | pgsql-admin(at)lists(dot)postgresql(dot)org |
| Subject: | sharing certificates via ACLs - possible? |
| Date: | 2021-03-02 11:07:56 |
| Message-ID: | 7f60e91e-94c6-b503-b09d-2f639c3494bf@yahoo.co.uk |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Hi guys.
I wonder if it is possible to have PostgreSQL share
certificates with other bits & bobs.
I see PGSQL is very unhappy and won't accept certs with
permissions like:
-> $ getfacl
/etc/pki/easy-rsa/pki/private/c8kubernode1.private.wel.key
getfacl: Removing leading '/' from absolute path names
# file:
etc/pki/easy-rsa/pki/private/c8kubernode1.private.wel.key
# owner: root
# group: root
user::rw-
user:postgres:r-x
user:redis:r-x
group::---
mask::r-x
other::---
such ACLs I think obviously, result in:
-> $ ll /etc/pki/easy-rsa/pki/private/
total 12
-rw-r-x---+ 1 root root 1704 Mar 1 13:35
c8kubernode1.private.wel.key
and then PGSQL fails to start:
...
Starting PostgreSQL database server...
2021-03-02 06:04:15.168 EST [1173631] FATAL: private key
file
"/etc/pki/easy-rsa/pki/private/c8kubernode1.private.wel.key"
has group or world access
If that is by design, is not then bit over the top?
postgresql-13.2
many thanks, L.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephan Hahn | 2021-03-02 15:28:49 | make postgres readonly |
| Previous Message | Jagmohan Kaintura | 2021-03-01 03:19:12 | Fwd: PostgreSQL Statement Dependency Resolving | Schema Upgrade |