Re: Relaxing SSL key permission checks

Christoph Berg <myon@debian.org> writes:
> Currently the server insists on ssl_key_file's permissions to be 0600
> or less, and be owned by the database user. Debian has been patching
> be-secure.c since forever (the git history goes back to 8.2beta1) to
> relax that to 0640 or less, and owned by root or the database user.

Debian can do that if they like, but it's entirely unacceptable as an
across-the-board patch.  Not all systems treat groups as being narrow
domains in which it's okay to assume that group-readable files are
secure enough to be keys.  As an example, on OS X user files tend to be
group "staff" or "admin" which'd be close enough to world readable.

We could allow group-readable if we had some way to know whether to
trust the specific group, but I don't think there's any practical
way to do that.  System conventions vary too much.
        regards, tom lane