NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit2764d5d

committed

Make be-secure-common.c more consistent for future SSL implementations

Recent commit8a3d942 has introduced be-secure-common.c, which is aimedat including backend-side APIs that can be used by any SSLimplementation. The purpose is similar to fe-secure-common.c for thefrontend-side APIs.However, this has forgotten to include check_ssl_key_file_permissions()in the move, which causes a double dependency between be-secure.c andbe-secure-openssl.c.Refactor the code in a more logical way. This also puts into light anAPI which is usable by future SSL implementations for permissions on SSLkey files.Author: Michael Paquier <michael@paquier.xyz>

1 parent7e0d64c commit2764d5dCopy full SHA for 2764d5d

File tree

3 files changed

+76

-70

lines changed

src
- backend/libpq
  - be-secure-common.c
  - be-secure.c
- include/libpq
  - libpq.h

3 files changed

+76

-70

lines changed

`‎src/backend/libpq/be-secure-common.c`

Lines changed: 74 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,9 @@`
`19`	`19`
`20`	`20`	`#include"postgres.h"`
`21`	`21`
	`22`	`+#include<sys/stat.h>`
	`23`	`+#include<unistd.h>`
	`24`	`+`
`22`	`25`	`#include"libpq/libpq.h"`
`23`	`26`	`#include"storage/fd.h"`
`24`	`27`
`@@ -118,3 +121,74 @@ run_ssl_passphrase_command(const char prompt, bool is_server_start, char buf,`
`118`	`121`	`pfree(command.data);`
`119`	`122`	`returnlen;`
`120`	`123`	`}`
	`124`	`+`
	`125`	`+`
	`126`	`+/*`
	`127`	`+ * Check permissions for SSL key files.`
	`128`	`+ */`
	`129`	`+bool`
	`130`	`+check_ssl_key_file_permissions(constchar*ssl_key_file,boolisServerStart)`
	`131`	`+{`
	`132`	`+intloglevel=isServerStart ?FATAL :LOG;`
	`133`	`+structstatbuf;`
	`134`	`+`
	`135`	`+if (stat(ssl_key_file,&buf)!=0)`
	`136`	`+{`
	`137`	`+ereport(loglevel,`
	`138`	`+(errcode_for_file_access(),`
	`139`	`+errmsg("could not access private key file \"%s\": %m",`
	`140`	`+ssl_key_file)));`
	`141`	`+return false;`
	`142`	`+}`
	`143`	`+`
	`144`	`+if (!S_ISREG(buf.st_mode))`
	`145`	`+{`
	`146`	`+ereport(loglevel,`
	`147`	`+(errcode(ERRCODE_CONFIG_FILE_ERROR),`
	`148`	`+errmsg("private key file \"%s\" is not a regular file",`
	`149`	`+ssl_key_file)));`
	`150`	`+return false;`
	`151`	`+}`
	`152`	`+`
	`153`	`+/*`
	`154`	`+ * Refuse to load key files owned by users other than us or root.`
	`155`	`+ *`
	`156`	`+ * XXX surely we can check this on Windows somehow, too.`
	`157`	`+ */`
	`158`	`+#if !defined(WIN32)&& !defined(__CYGWIN__)`
	`159`	`+if (buf.st_uid!=geteuid()&&buf.st_uid!=0)`
	`160`	`+{`
	`161`	`+ereport(loglevel,`
	`162`	`+(errcode(ERRCODE_CONFIG_FILE_ERROR),`
	`163`	`+errmsg("private key file \"%s\" must be owned by the database user or root",`
	`164`	`+ssl_key_file)));`
	`165`	`+return false;`
	`166`	`+}`
	`167`	`+#endif`
	`168`	`+`
	`169`	`+/*`
	`170`	`+ * Require no public access to key file. If the file is owned by us,`
	`171`	`+ * require mode 0600 or less. If owned by root, require 0640 or less to`
	`172`	`+ * allow read access through our gid, or a supplementary gid that allows`
	`173`	`+ * to read system-wide certificates.`
	`174`	`+ *`
	`175`	`+ * XXX temporarily suppress check when on Windows, because there may not`
	`176`	`+ * be proper support for Unix-y file permissions. Need to think of a`
	`177`	`+ * reasonable check to apply on Windows. (See also the data directory`
	`178`	`+ * permission check in postmaster.c)`
	`179`	`+ */`
	`180`	`+#if !defined(WIN32)&& !defined(__CYGWIN__)`
	`181`	`+if ((buf.st_uid==geteuid()&&buf.st_mode& (S_IRWXG \|S_IRWXO))\|\|`
	`182`	`+(buf.st_uid==0&&buf.st_mode& (S_IWGRP \|S_IXGRP \|S_IRWXO)))`
	`183`	`+{`
	`184`	`+ereport(loglevel,`
	`185`	`+(errcode(ERRCODE_CONFIG_FILE_ERROR),`
	`186`	`+errmsg("private key file \"%s\" has group or world access",`
	`187`	`+ssl_key_file),`
	`188`	`+errdetail("File must have permissions u=rw (0600) or less if owned by the database user, or permissions u=rw,g=r (0640) or less if owned by root.")));`
	`189`	`+return false;`
	`190`	`+}`
	`191`	`+#endif`
	`192`	`+`
	`193`	`+return true;`
	`194`	`+}`

`‎src/backend/libpq/be-secure.c`

Lines changed: 0 additions & 69 deletions

Original file line number	Diff line number	Diff line change
`@@ -18,12 +18,10 @@`
`18`	`18`
`19`	`19`	`#include"postgres.h"`
`20`	`20`
`21`		`-#include<sys/stat.h>`
`22`	`21`	`#include<signal.h>`
`23`	`22`	`#include<fcntl.h>`
`24`	`23`	`#include<ctype.h>`
`25`	`24`	`#include<sys/socket.h>`
`26`		`-#include<unistd.h>`
`27`	`25`	`#include<netdb.h>`
`28`	`26`	`#include<netinet/in.h>`
`29`	`27`	`#ifdefHAVE_NETINET_TCP_H`
`@@ -320,70 +318,3 @@ secure_raw_write(Port port, const void ptr, size_t len)`
`320`	`318`
`321`	`319`	`returnn;`
`322`	`320`	`}`
`323`		`-`
`324`		`-bool`
`325`		`-check_ssl_key_file_permissions(constchar*ssl_key_file,boolisServerStart)`
`326`		`-{`
`327`		`-intloglevel=isServerStart ?FATAL :LOG;`
`328`		`-structstatbuf;`
`329`		`-`
`330`		`-if (stat(ssl_key_file,&buf)!=0)`
`331`		`-{`
`332`		`-ereport(loglevel,`
`333`		`-(errcode_for_file_access(),`
`334`		`-errmsg("could not access private key file \"%s\": %m",`
`335`		`-ssl_key_file)));`
`336`		`-return false;`
`337`		`-}`
`338`		`-`
`339`		`-if (!S_ISREG(buf.st_mode))`
`340`		`-{`
`341`		`-ereport(loglevel,`
`342`		`-(errcode(ERRCODE_CONFIG_FILE_ERROR),`
`343`		`-errmsg("private key file \"%s\" is not a regular file",`
`344`		`-ssl_key_file)));`
`345`		`-return false;`
`346`		`-}`
`347`		`-`
`348`		`-/*`
`349`		`- * Refuse to load key files owned by users other than us or root.`
`350`		`- *`
`351`		`- * XXX surely we can check this on Windows somehow, too.`
`352`		`- */`
`353`		`-#if !defined(WIN32)&& !defined(__CYGWIN__)`
`354`		`-if (buf.st_uid!=geteuid()&&buf.st_uid!=0)`
`355`		`-{`
`356`		`-ereport(loglevel,`
`357`		`-(errcode(ERRCODE_CONFIG_FILE_ERROR),`
`358`		`-errmsg("private key file \"%s\" must be owned by the database user or root",`
`359`		`-ssl_key_file)));`
`360`		`-return false;`
`361`		`-}`
`362`		`-#endif`
`363`		`-`
`364`		`-/*`
`365`		`- * Require no public access to key file. If the file is owned by us,`
`366`		`- * require mode 0600 or less. If owned by root, require 0640 or less to`
`367`		`- * allow read access through our gid, or a supplementary gid that allows`
`368`		`- * to read system-wide certificates.`
`369`		`- *`
`370`		`- * XXX temporarily suppress check when on Windows, because there may not`
`371`		`- * be proper support for Unix-y file permissions. Need to think of a`
`372`		`- * reasonable check to apply on Windows. (See also the data directory`
`373`		`- * permission check in postmaster.c)`
`374`		`- */`
`375`		`-#if !defined(WIN32)&& !defined(__CYGWIN__)`
`376`		`-if ((buf.st_uid==geteuid()&&buf.st_mode& (S_IRWXG \|S_IRWXO))\|\|`
`377`		`-(buf.st_uid==0&&buf.st_mode& (S_IWGRP \|S_IXGRP \|S_IRWXO)))`
`378`		`-{`
`379`		`-ereport(loglevel,`
`380`		`-(errcode(ERRCODE_CONFIG_FILE_ERROR),`
`381`		`-errmsg("private key file \"%s\" has group or world access",`
`382`		`-ssl_key_file),`
`383`		`-errdetail("File must have permissions u=rw (0600) or less if owned by the database user, or permissions u=rw,g=r (0640) or less if owned by root.")));`
`384`		`-return false;`
`385`		`-}`
`386`		`-#endif`
`387`		`-`
`388`		`-return true;`
`389`		`-}`

`‎src/include/libpq/libpq.h`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -92,7 +92,6 @@ extern ssize_t secure_read(Port port, void ptr, size_t len);`
`92`	`92`	`externssize_tsecure_write(Portport,voidptr,size_tlen);`
`93`	`93`	`externssize_tsecure_raw_read(Portport,voidptr,size_tlen);`
`94`	`94`	`externssize_tsecure_raw_write(Portport,constvoidptr,size_tlen);`
`95`		`-externboolcheck_ssl_key_file_permissions(constchar*ssl_key_file,boolisServerStart);`
`96`	`95`
`97`	`96`	`externboolssl_loaded_verify_locations;`
`98`	`97`
`@@ -108,5 +107,7 @@ extern bool SSLPreferServerCiphers;`
`108`	`107`	`*/`
`109`	`108`	`externintrun_ssl_passphrase_command(constchar*prompt,boolis_server_start,`
`110`	`109`	`char*buf,intsize);`
	`110`	`+externboolcheck_ssl_key_file_permissions(constchar*ssl_key_file,`
	`111`	`+boolisServerStart);`
`111`	`112`
`112`	`113`	`#endif/* LIBPQ_H */`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit2764d5d

File tree

3 files changed

3 files changed

`‎src/backend/libpq/be-secure-common.c`

`‎src/backend/libpq/be-secure.c`

`‎src/include/libpq/libpq.h`

0 commit comments