Re: [BUGS] BUG #14543: libpq fails with group readable ssl keys

Поиск
Список
Период
Сортировка
От Bruce Momjian
Тема Re: [BUGS] BUG #14543: libpq fails with group readable ssl keys
Дата
Msg-id 20170227225845.GG421@momjian.us
обсуждение исходный текст
Ответ на [BUGS] BUG #14543: libpq fails with group readable ssl keys  (postgres@freigeist.org)
Ответы Re: [BUGS] BUG #14543: libpq fails with group readable ssl keys
Список pgsql-bugs
Дерево обсуждения 
On Mon, Feb 13, 2017 at 06:43:23PM +0000, postgres@freigeist.org wrote:
> The following bug has been logged on the website:
> 
> Bug reference:      14543
> Logged by:          Johannes Ziemke
> Email address:      postgres@freigeist.org
> PostgreSQL version: 9.5.6
> Operating system:   linux
> Description:        
> 
> Hi,
> 
> looks like libpq checks if a ssl key is group or world readable and aborts
> if that's the case:
> 
> # pg_basebackup -R -d
>
'postgres://replication@db-rw?sslmode=verify-ca&sslcert=/etc/ssl/private/default.pem&sslkey=/etc/ssl/private/default-key.pem&sslrootcert=/etc/ssl/ca-trusted.pem'
> -D /var/lib/postgresql/9.5/main --xlog-method=stream
> pg_basebackup: could not connect to server: private key file
> "/etc/ssl/private/default-key.pem" has group or world access; permissions
> should be u=rw (0600) or less
> 
> # ls -al /etc/ssl/private/default-key.pem
> -rw-r----- 1 root ssl-cert 1675 Feb 13 18:04
> /etc/ssl/private/default-key.pem
> 
> 
> While I agree this is reasonable to do if the key is world readable, it's
> perfectly fine to make a SSL key group readable to share it with multiple
> users on the same system.
> 
> Ubuntu (and probably most other distributions) even creates a group for
> exactly this scenario:
> 
> # ls -l /etc/ssl/private/
> total 4
> -rw-r----- 1 root ssl-cert 1708 Apr 14  2016 ssl-cert-snakeoil.key

We changed Postgres 9.6 to allow open group permissions on the
_server_'s SSL key if it was owned by root:

    Allow the server's <acronym>SSL</> key file to have group read
    access if it is owned by <literal>root</> (Christoph Berg)

Is this something we should change on the client?  I don't see why not,
but the 'root' requirement would still remain.

-- 
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

+ As you are, so once was I.  As I am, so you will be. +
+                      Ancient Roman grave inscription +


-- 
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs

В списке pgsql-bugs по дате отправления: