From: | Ashesh Vashi <ashesh(dot)vashi(at)enterprisedb(dot)com> |
---|---|
To: | Jeroen Jacobs <jeroen(dot)jacobs(at)headincloud(dot)be>, "pgsql-general(at)postgresql(dot)org" <pgsql-general(at)postgresql(dot)org> |
Cc: | "pgadmin-hackers(at)postgresql(dot)org" <pgadmin-hackers(at)postgresql(dot)org> |
Subject: | Re: file permission on ssl key |
Date: | 2017-04-24 02:42:10 |
Message-ID: | CAG7mmoyoo0g93_bJZh2_H9dT0UA85ofJHG56Rc2T_gqg7B0HeQ@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgadmin-hackers pgsql-general |
Hi Jeroen,
This is pgAdmin hackers list.
Please send mail to pgsql-general(at)postgresql(dot)org mailing list for your
postgresql related queries.
--
Thanks & Regards,
Ashesh Vashi
EnterpriseDB INDIA: Enterprise PostgreSQL Company
<http://www.enterprisedb.com>
*http://www.linkedin.com/in/asheshvashi*
<http://www.linkedin.com/in/asheshvashi>
On Sun, Apr 23, 2017 at 11:25 PM, Jeroen Jacobs <
jeroen(dot)jacobs(at)headincloud(dot)be> wrote:
> Hi,
>
> I'm getting this error when I try to configure ssl with postgres:
>
> pr 23 13:12:47 pgmaster01 pg_ctl: FATAL: private key file
> "/etc/ssl/pgmaster01-key.pem" has group or world access
> Apr 23 13:12:47 pgmaster01 pg_ctl: DETAIL: Permissions should be u=rw
> (0600) or less.
>
> The actual permission is:
>
> centos(at)pgmaster01 ~]$ ls -l /etc/ssl/pgmaster01-key.pem
> -r--r----- 1 root ssl-read 3243 Apr 23 00:00 /etc/ssl/pgmaster01-key.pem
>
> postgres user is part of the ssl-read group. Thi ssl key is shared with
> other software as well, so giving exclusive access to the postgres user is
> NOT an option.
>
> I understand why postgres complains, but I'm pretty sure about what I'm
> doing here. How can I tell postgres to start anyway, even when it doesn't
> like those permissions? There should be a way to override this, I'm the
> admin here, it's up to me to decide to implement my security setup, not the
> software itself.
>
> So basically I have three options:
>
> - don't use ssl at all (not an option at all, actually)
> - create a separate copy of my ssl key file with the correct permissions
> that postgres likes (ugly workaround)
> - use another database server which allows me to configure it how I want
> it.
>
> I'm actually considering settling for the last solution, due to this crazy
> restriction you put in place...
>
>
> Regards,
>
> Jeroen.
>
From | Date | Subject | |
---|---|---|---|
Next Message | Ashesh Vashi | 2017-04-24 03:14:23 | pgAdmin 4 commit: [Configuration][Migration] Use 'alembic' for migratio |
Previous Message | Jeroen Jacobs | 2017-04-23 17:55:40 | file permission on ssl key |
From | Date | Subject | |
---|---|---|---|
Next Message | Adrian Klaver | 2017-04-24 04:22:35 | Re: Strange Issue between PSQL 9.3 and Label Zebra Printer? |
Previous Message | Tatsuo Ishii | 2017-04-24 02:33:09 | Re: Protocol 2 and query parameters support |