From: | "Albe Laurenz" <laurenz(dot)albe(at)wien(dot)gv(dot)at> |
---|---|
To: | "Dave Coventry *EXTERN*" <dgcoventry(at)gmail(dot)com> |
Cc: | <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: SAST FATAL: could not access private key file "server.key" |
Date: | 2008-07-02 14:16:12 |
Message-ID: | D960CB61B694CF459DCFB4B0128514C20244E743@exadv11.host.magwien.gv.at |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Dave Coventry wrote:
>> If you want SSL,
>> 2) Is there a file server.key? If yes, make it readable to the
>> postgres user. If not, create it as documented.
>
> Here is the contents of my /var/lib/postgresql/8.2/main/ :
>
> root(at)Admin:/var/lib/postgresql/8.2/main# ls -l
> total 9
> drwx------ 7 postgres postgres 168 2008-06-29 11:27 base
> drwx------ 2 postgres postgres 768 2008-06-30 13:01 global
> drwx------ 2 postgres postgres 72 2008-06-24 09:37 pg_clog
> drwx------ 4 postgres postgres 96 2008-06-24 09:37 pg_multixact
> drwx------ 2 postgres postgres 72 2008-06-24 09:37 pg_subtrans
> drwx------ 2 postgres postgres 48 2008-06-24 09:37 pg_tblspc
> drwx------ 2 postgres postgres 48 2008-06-24 09:37 pg_twophase
> -rw------- 1 postgres postgres 4 2008-06-24 09:37 PG_VERSION
> drwx------ 3 postgres postgres 120 2008-06-24 09:37 pg_xlog
> -rw------- 1 postgres postgres 125 2008-06-30 08:59 postmaster.opts
> lrwxrwxrwx 1 root root 31 2008-06-24 09:37 root.crt ->
> /etc/postgresql-common/root.crt
> lrwxrwxrwx 1 root root 36 2008-06-24 09:37 server.crt ->
> /etc/ssl/certs/ssl-cert-snakeoil.pem
> lrwxrwxrwx 1 root root 38 2008-06-24 09:37 server.key ->
> /etc/ssl/private/ssl-cert-snakeoil.key
>
> 'server.key' seems to be writable to all and sundry, although the file
> it is linked to (ssl-cert-snakeoil.key) is not:
>
>
> root(at)Admin:/etc/ssl/private# ls -l
> total 4
> -rw------- 1 root ssl-cert 887 2008-06-11 12:18 ssl-cert-snakeoil.key
You will need to give postgres read permission to /etc/ssl/private/ssl-cert-snakeoil.key
This also means to give 'traverse directory' (x) permissions
on all the directories in the path to user postgres.
You can test it by becoming user postgres and trying to 'cat' the file.
Was it you who set up the system like that?
Maybe there are good reasons why the key file is only accessible by root.
Maybe you shouldn't use this file as your server key.
But these are considerations beyond my view here.
Yours,
Laurenz Albe
From | Date | Subject | |
---|---|---|---|
Next Message | Magnus Hagander | 2008-07-02 14:17:36 | Re: pg crashing |
Previous Message | Dave Coventry | 2008-07-02 13:43:30 | Re: SAST FATAL: could not access private key file "server.key" |