From: | Jeroen Jacobs <jeroen(dot)jacobs(at)headincloud(dot)be> |
---|---|
To: | "pgadmin-hackers(at)postgresql(dot)org" <pgadmin-hackers(at)postgresql(dot)org> |
Subject: | file permission on ssl key |
Date: | 2017-04-23 17:55:40 |
Message-ID: | AM4PR06MB17329F444A587715D2EF12498C1C0@AM4PR06MB1732.eurprd06.prod.outlook.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgadmin-hackers pgsql-general |
Hi,
I'm getting this error when I try to configure ssl with postgres:
pr 23 13:12:47 pgmaster01 pg_ctl: FATAL: private key file "/etc/ssl/pgmaster01-key.pem" has group or world access
Apr 23 13:12:47 pgmaster01 pg_ctl: DETAIL: Permissions should be u=rw (0600) or less.
The actual permission is:
centos(at)pgmaster01 ~]$ ls -l /etc/ssl/pgmaster01-key.pem
-r--r----- 1 root ssl-read 3243 Apr 23 00:00 /etc/ssl/pgmaster01-key.pem
postgres user is part of the ssl-read group. Thi ssl key is shared with other software as well, so giving exclusive access to the postgres user is NOT an option.
I understand why postgres complains, but I'm pretty sure about what I'm doing here. How can I tell postgres to start anyway, even when it doesn't like those permissions? There should be a way to override this, I'm the admin here, it's up to me to decide to implement my security setup, not the software itself.
So basically I have three options:
- don't use ssl at all (not an option at all, actually)
- create a separate copy of my ssl key file with the correct permissions that postgres likes (ugly workaround)
- use another database server which allows me to configure it how I want it.
I'm actually considering settling for the last solution, due to this crazy restriction you put in place...
Regards,
Jeroen.
From | Date | Subject | |
---|---|---|---|
Next Message | Ashesh Vashi | 2017-04-24 02:42:10 | Re: file permission on ssl key |
Previous Message | Josh Berkus | 2017-04-21 22:41:12 | QT dependances of the web version? |
From | Date | Subject | |
---|---|---|---|
Next Message | Guyren Howe | 2017-04-23 18:34:51 | Use function to manipulate rows — how to get separate columns, rather than single row value |
Previous Message | Guyren Howe | 2017-04-23 17:24:33 | Re: Does a view not define a composite type? |