Re: BUG #3809: SSL "unsafe" private key permissions bug

Поиск
Список
Период
Сортировка
От Bruce Momjian
Тема Re: BUG #3809: SSL "unsafe" private key permissions bug
Дата
Msg-id 200712161037.lBGAb5P07573@momjian.us
обсуждение исходный текст
Ответ на Re: BUG #3809: SSL "unsafe" private key permissions bug  (Martin Pitt <martin@piware.de>)
Список pgsql-bugs
Дерево обсуждения 
Agreed.  Let's look this over again in 8.4.  I am feeling our
restrictions are making things _less_ secure sometimes.

This has been saved for the 8.4 release:

    http://momjian.postgresql.org/cgi-bin/pgpatches_hold

---------------------------------------------------------------------------

Martin Pitt wrote:
-- Start of PGP signed section.
> Hi,
>
> Simon Arlott [2007-12-08 12:24 +0000]:
> > Bug reference:      3809
> > Logged by:          Simon Arlott
> > Email address:      postgresql.simon@arlott.org
> > PostgreSQL version: 8.2.4
> > Operating system:   Linux 2.6.23
> > Description:        SSL "unsafe" private key permissions bug
> > Details:
> >
> > FATAL:  unsafe permissions on private key file "server.key"
> > DETAIL:  File must be owned by the database user and must have no
> > permissions for "group" or "other".
> >
> > It should be possible to disable this check in the configuration, so those
> > of us capable of deciding what's unsafe can do so.
>
> For the same reason Debian/Ubuntu have modified this check ages ago,
> to also allow for keys which are owned by root and readable by a
> particular group. A lot of our users want to share a common SSL
> cert/key between all servers, and the upstream check makes this
> impossible. (Ubuntu sets up all server packages in a way that they all
> share a common SSL key called "snakeoil" which is generated on system
> installation. By merely replacing this with a real one, your box
> becomes sanely configured without fiddling with any configuration
> files.)
>
> I already proposed this patch two times, but it has been rejected so
> far unfortunately. But maybe it's useful for you.
>
> Martin
>
> --
> Martin Pitt        http://www.piware.de
> Ubuntu Developer   http://www.ubuntu.com
> Debian Developer   http://www.debian.org

-- End of PGP section, PGP failed!

--
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://postgres.enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +

В списке pgsql-bugs по дате отправления: