Re: [BUGS] BUG #14543: libpq fails with group readable ssl keys
| От | Johannes Ziemke |
|---|---|
| Тема | Re: [BUGS] BUG #14543: libpq fails with group readable ssl keys |
| Дата | |
| Msg-id | CANi=R=0vSdd8PXkbrO0sUExy222F4OdgB=kFo4+EoLfX2FzUUg@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: [BUGS] BUG #14543: libpq fails with group readable ssl keys (Michael Paquier <michael.paquier@gmail.com>) |
| Список | pgsql-bugs |
Hi,
On Tue, Feb 14, 2017 at 1:01 AM, Michael Paquier <michael.paquier@gmail.com> wrote:
On Tue, Feb 14, 2017 at 3:43 AM, <postgres@freigeist.org> wrote:
> looks like libpq checks if a ssl key is group or world readable and aborts
> if that's the case:
This is not a bug.
sorry, haven't found a way to submit 'suggestions'.
> # pg_basebackup -R -d
> 'postgres://replication@db-rw?sslmode=verify-ca&sslcert=/ etc/ssl/private/default.pem& sslkey=/etc/ssl/private/ default-key.pem&sslrootcert=/ etc/ssl/ca-trusted.pem'
> -D /var/lib/postgresql/9.5/main --xlog-method=stream
> pg_basebackup: could not connect to server: private key file
> "/etc/ssl/private/default-key.pem" has group or world access; permissions
> should be u=rw (0600) or less
This behavior comes from commit eb7afc14 of 2002.
> While I agree this is reasonable to do if the key is world readable, it's
> perfectly fine to make a SSL key group readable to share it with multiple
> users on the same system.
I don't disagree with that. Now it is hard to justify a change for a
14-year-old behavior as many users may rely on the current way things
work as well.
I can't imaging how someone would rely on this behavior.
I don't care that much though, I just did't want to rant about this feature without reporting it like a good user :)
> Ubuntu (and probably most other distributions) even creates a group for
> exactly this scenario:
Hard to assume. Fedora does not have such a patch:
http://pkgs.fedoraproject.org/cgit/rpms/postgresql.git/tree/ .
Archlinux also shows none:
https://git.archlinux.org/svntogit/packages.git/tree/ trunk?h=packages/postgresql.
I didn't mean they patch it, I mean they create a group to share ssl keys with multiple services. Just pointed that out to proof it's established practice to have keys group-readable.
В списке pgsql-bugs по дате отправления: