Re: file permission on ssl key

Hi Jeroen,

This is pgAdmin hackers list.
Please send mail to pgsql-general(at)postgresql(dot)org mailing list for your
postgresql related queries.

--

Thanks & Regards,

Ashesh Vashi
EnterpriseDB INDIA: Enterprise PostgreSQL Company
<http://www.enterprisedb.com>

*http://www.linkedin.com/in/asheshvashi*
<http://www.linkedin.com/in/asheshvashi>

On Sun, Apr 23, 2017 at 11:25 PM, Jeroen Jacobs <
jeroen(dot)jacobs(at)headincloud(dot)be> wrote:

> Hi,
>
> I'm getting this error when I try to configure ssl with postgres:
>
> pr 23 13:12:47 pgmaster01 pg_ctl: FATAL: private key file
> "/etc/ssl/pgmaster01-key.pem" has group or world access
> Apr 23 13:12:47 pgmaster01 pg_ctl: DETAIL: Permissions should be u=rw
> (0600) or less.
>
> The actual permission is:
>
> centos(at)pgmaster01 ~]$ ls -l /etc/ssl/pgmaster01-key.pem
> -r--r----- 1 root ssl-read 3243 Apr 23 00:00 /etc/ssl/pgmaster01-key.pem
>
> postgres user is part of the ssl-read group. Thi ssl key is shared with
> other software as well, so giving exclusive access to the postgres user is
> NOT an option.
>
> I understand why postgres complains, but I'm pretty sure about what I'm
> doing here. How can I tell postgres to start anyway, even when it doesn't
> like those permissions? There should be a way to override this, I'm the
> admin here, it's up to me to decide to implement my security setup, not the
> software itself.
>
> So basically I have three options:
>
> - don't use ssl at all (not an option at all, actually)
> - create a separate copy of my ssl key file with the correct permissions
> that postgres likes (ugly workaround)
> - use another database server which allows me to configure it how I want
> it.
>
> I'm actually considering settling for the last solution, due to this crazy
> restriction you put in place...
>
>
> Regards,
>
> Jeroen.
>