NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit72918ea

committed

Allow root-owned SSL private keys in libpq, not only the backend.

This change makes libpq apply the same private-key-file ownershipand permissions checks that we have used in the backend since commit9a83564. Namely, that the private key can be owned by either thecurrent user or root (with different file permissions allowed in thetwo cases). This allows system-wide management of key files, whichis just as sensible on the client side as the server, particularlywhen the client is itself some application daemon.Sync the comments about this between libpq and the backend, too.Back-patch ofa59c795 and50f0347 into all supported branches.David SteeleDiscussion:https://postgr.es/m/f4b7bc55-97ac-9e69-7398-335e212f7743@pgmasters.net

1 parent0f7b62f commit72918eaCopy full SHA for 72918ea

File tree

3 files changed

+69

-25

lines changed

doc/src/sgml
- libpq.sgml
src
- backend/libpq
  - be-secure-common.c
- interfaces/libpq
  - fe-secure-openssl.c

3 files changed

+69

-25

lines changed

`‎doc/src/sgml/libpq.sgml`

Lines changed: 19 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -8016,23 +8016,35 @@ ldap://ldap.acme.com/cn=dbserver,cn=hosts?pgconnectinfo?base?(objectclass=*)`
`8016`	`8016`	`<para>`
`8017`	`8017`	`If the server attempts to verify the identity of the`
`8018`	`8018`	`client by requesting the client's leaf certificate,`
`8019`		`- <application>libpq</application> will send thecertificates stored in`
	`8019`	`+ <application>libpq</application> will send thecertificate(s) stored in`
`8020`	`8020`	`file <filename>~/.postgresql/postgresql.crt</filename> in the user's home`
`8021`	`8021`	`directory. The certificates must chain to the root certificate trusted`
`8022`	`8022`	`by the server. A matching`
`8023`	`8023`	`private key file <filename>~/.postgresql/postgresql.key</filename> must also`
`8024`		`- be present. The private`
`8025`		`- key file must not allow any access to world or group; achieve this by the`
`8026`		`- command <command>chmod 0600 ~/.postgresql/postgresql.key</command>.`
	`8024`	`+ be present.`
`8027`	`8025`	`On Microsoft Windows these files are named`
`8028`	`8026`	`<filename>%APPDATA%\postgresql\postgresql.crt</filename> and`
`8029`		`- <filename>%APPDATA%\postgresql\postgresql.key</filename>, and there`
`8030`		`- is no special permissions check since the directory is presumed secure.`
	`8027`	`+ <filename>%APPDATA%\postgresql\postgresql.key</filename>.`
`8031`	`8028`	`The location of the certificate and key files can be overridden by the`
`8032`		`- connection parameters <literal>sslcert</literal> and <literal>sslkey</literal> or the`
	`8029`	`+ connection parameters <literal>sslcert</literal>`
	`8030`	`+ and <literal>sslkey</literal>, or by the`
`8033`	`8031`	`environment variables <envar>PGSSLCERT</envar> and <envar>PGSSLKEY</envar>.`
`8034`	`8032`	`</para>`
`8035`	`8033`
	`8034`	`+ <para>`
	`8035`	`+ On Unix systems, the permissions on the private key file must disallow`
	`8036`	`+ any access to world or group; achieve this by a command such as`
	`8037`	`+ <command>chmod 0600 ~/.postgresql/postgresql.key</command>.`
	`8038`	`+ Alternatively, the file can be owned by root and have group read access`
	`8039`	`+ (that is, <literal>0640</literal> permissions). That setup is intended`
	`8040`	`+ for installations where certificate and key files are managed by the`
	`8041`	`+ operating system. The user of <application>libpq</application> should`
	`8042`	`+ then be made a member of the group that has access to those certificate`
	`8043`	`+ and key files. (On Microsoft Windows, there is no file permissions`
	`8044`	`+ check, since the <filename>%APPDATA%\postgresql</filename> directory is`
	`8045`	`+ presumed secure.)`
	`8046`	`+ </para>`
	`8047`	`+`
`8036`	`8048`	`<para>`
`8037`	`8049`	`The first certificate in <filename>postgresql.crt</filename> must be the`
`8038`	`8050`	`client's certificate because it must match the client's private key.`

`‎src/backend/libpq/be-secure-common.c`

Lines changed: 13 additions & 15 deletions

Original file line number	Diff line number	Diff line change
`@@ -142,6 +142,7 @@ check_ssl_key_file_permissions(const char *ssl_key_file, bool isServerStart)`
`142`	`142`	`return false;`
`143`	`143`	`}`
`144`	`144`
	`145`	`+/* Key file must be a regular file */`
`145`	`146`	`if (!S_ISREG(buf.st_mode))`
`146`	`147`	`{`
`147`	`148`	`ereport(loglevel,`
`@@ -152,9 +153,19 @@ check_ssl_key_file_permissions(const char *ssl_key_file, bool isServerStart)`
`152`	`153`	`}`
`153`	`154`
`154`	`155`	`/*`
`155`		`- * Refuse to load key files owned by users other than us or root.`
	`156`	`+ * Refuse to load key files owned by users other than us or root, and`
	`157`	`+ * require no public access to the key file. If the file is owned by us,`
	`158`	`+ * require mode 0600 or less. If owned by root, require 0640 or less to`
	`159`	`+ * allow read access through either our gid or a supplementary gid that`
	`160`	`+ * allows us to read system-wide certificates.`
`156`	`161`	`*`
`157`		`- * XXX surely we can check this on Windows somehow, too.`
	`162`	`+ * Note that similar checks are performed in`
	`163`	`+ * src/interfaces/libpq/fe-secure-openssl.c so any changes here may need`
	`164`	`+ * to be made there as well.`
	`165`	`+ *`
	`166`	`+ * Ideally we would do similar permissions checks on Windows, but it is`
	`167`	`+ * not clear how that would work since Unix-style permissions may not be`
	`168`	`+ * available.`
`158`	`169`	`*/`
`159`	`170`	`#if !defined(WIN32)&& !defined(__CYGWIN__)`
`160`	`171`	`if (buf.st_uid!=geteuid()&&buf.st_uid!=0)`
`@@ -165,20 +176,7 @@ check_ssl_key_file_permissions(const char *ssl_key_file, bool isServerStart)`
`165`	`176`	`ssl_key_file)));`
`166`	`177`	`return false;`
`167`	`178`	`}`
`168`		`-#endif`
`169`	`179`
`170`		`-/*`
`171`		`- * Require no public access to key file. If the file is owned by us,`
`172`		`- * require mode 0600 or less. If owned by root, require 0640 or less to`
`173`		`- * allow read access through our gid, or a supplementary gid that allows`
`174`		`- * to read system-wide certificates.`
`175`		`- *`
`176`		`- * XXX temporarily suppress check when on Windows, because there may not`
`177`		`- * be proper support for Unix-y file permissions. Need to think of a`
`178`		`- * reasonable check to apply on Windows. (See also the data directory`
`179`		`- * permission check in postmaster.c)`
`180`		`- */`
`181`		`-#if !defined(WIN32)&& !defined(__CYGWIN__)`
`182`	`180`	`if ((buf.st_uid==geteuid()&&buf.st_mode& (S_IRWXG \|S_IRWXO))\|\|`
`183`	`181`	`(buf.st_uid==0&&buf.st_mode& (S_IWGRP \|S_IXGRP \|S_IRWXO)))`
`184`	`182`	`{`

`‎src/interfaces/libpq/fe-secure-openssl.c`

Lines changed: 37 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -1121,11 +1121,45 @@ initialize_SSL(PGconn *conn)`
`1121`	`1121`	`fnbuf);`
`1122`	`1122`	`return-1;`
`1123`	`1123`	`}`
`1124`		`-#ifndefWIN32`
`1125`		`-if (!S_ISREG(buf.st_mode)\|\|buf.st_mode& (S_IRWXG \|S_IRWXO))`
	`1124`	`+`
	`1125`	`+/* Key file must be a regular file */`
	`1126`	`+if (!S_ISREG(buf.st_mode))`
	`1127`	`+{`
	`1128`	`+printfPQExpBuffer(&conn->errorMessage,`
	`1129`	`+libpq_gettext("private key file \"%s\" is not a regular file"),`
	`1130`	`+fnbuf);`
	`1131`	`+return-1;`
	`1132`	`+}`
	`1133`	`+`
	`1134`	`+/*`
	`1135`	`+ * Refuse to load key files owned by users other than us or root, and`
	`1136`	`+ * require no public access to the key file. If the file is owned by`
	`1137`	`+ * us, require mode 0600 or less. If owned by root, require 0640 or`
	`1138`	`+ * less to allow read access through either our gid or a supplementary`
	`1139`	`+ * gid that allows us to read system-wide certificates.`
	`1140`	`+ *`
	`1141`	`+ * Note that similar checks are performed in`
	`1142`	`+ * src/backend/libpq/be-secure-common.c so any changes here may need`
	`1143`	`+ * to be made there as well.`
	`1144`	`+ *`
	`1145`	`+ * Ideally we would do similar permissions checks on Windows, but it`
	`1146`	`+ * is not clear how that would work since Unix-style permissions may`
	`1147`	`+ * not be available.`
	`1148`	`+ */`
	`1149`	`+#if !defined(WIN32)&& !defined(__CYGWIN__)`
	`1150`	`+if (buf.st_uid!=geteuid()&&buf.st_uid!=0)`
	`1151`	`+{`
	`1152`	`+printfPQExpBuffer(&conn->errorMessage,`
	`1153`	`+libpq_gettext("private key file \"%s\" must be owned by the current user or root\n"),`
	`1154`	`+fnbuf);`
	`1155`	`+return-1;`
	`1156`	`+}`
	`1157`	`+`
	`1158`	`+if ((buf.st_uid==geteuid()&&buf.st_mode& (S_IRWXG \|S_IRWXO))\|\|`
	`1159`	`+(buf.st_uid==0&&buf.st_mode& (S_IWGRP \|S_IXGRP \|S_IRWXO)))`
`1126`	`1160`	`{`
`1127`	`1161`	`printfPQExpBuffer(&conn->errorMessage,`
`1128`		`-libpq_gettext("private key file \"%s\" has group or world access;permissions should beu=rw (0600) or less\n"),`
	`1162`	`+libpq_gettext("private key file \"%s\" has group or world access;file must have permissionsu=rw (0600) or less if owned by the current user, or permissions u=rw,g=r (0640) or less if owned by root\n"),`
`1129`	`1163`	`fnbuf);`
`1130`	`1164`	`return-1;`
`1131`	`1165`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit72918ea

File tree

3 files changed

3 files changed

`‎doc/src/sgml/libpq.sgml`

`‎src/backend/libpq/be-secure-common.c`

`‎src/interfaces/libpq/fe-secure-openssl.c`

0 commit comments