NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit9a83564

committed

Allow SSL server key file to have group read access if owned by root

We used to require the server key file to have permissions 0600 or lessfor best security. But some systems (such as Debian) have certificateand key files managed by the operating system that can be shared withother services. In those cases, the "postgres" user is made a member ofa special group that has access to those files, and the server key filehas permissions 0640. To accommodate that kind of setup, also allow thekey file to have permissions 0640 but only if owned by root.From: Christoph Berg <myon@debian.org>Reviewed-by: Alvaro Herrera <alvherre@alvh.no-ip.org>

1 parent6eb2be1 commit9a83564Copy full SHA for 9a83564

File tree

2 files changed

+40

-6

lines changed

doc/src/sgml
- runtime.sgml
src/backend/libpq
- be-secure-openssl.c

2 files changed

+40

-6

lines changed

`‎doc/src/sgml/runtime.sgml`

Lines changed: 12 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -2147,9 +2147,20 @@ pg_dumpall -p 5432 \| psql -d postgres -p 5433`
`2147`	`2147`	`the server's data directory, but other names and locations can be specified`
`2148`	`2148`	`using the configuration parameters <xref linkend="guc-ssl-cert-file">`
`2149`	`2149`	`and <xref linkend="guc-ssl-key-file">.`
	`2150`	`+ </para>`
	`2151`	`+`
	`2152`	`+ <para>`
`2150`	`2153`	`On Unix systems, the permissions on <filename>server.key</filename> must`
`2151`	`2154`	`disallow any access to world or group; achieve this by the command`
`2152`		`- <command>chmod 0600 server.key</command>.`
	`2155`	`+ <command>chmod 0600 server.key</command>. Alternatively, the file can be`
	`2156`	`+ owned by root and have group read access (that is, <literal>0640</literal>`
	`2157`	`+ permissions). That setup is intended for installations where certificate`
	`2158`	`+ and key files are managed by the operating system. The user under which`
	`2159`	`+ the <productname>PostgreSQL</productname> server runs should then be made a`
	`2160`	`+ member of the group that has access to those certificate and key files.`
	`2161`	`+ </para>`
	`2162`	`+`
	`2163`	`+ <para>`
`2153`	`2164`	`If the private key is protected with a passphrase, the`
`2154`	`2165`	`server will prompt for the passphrase and will not start until it has`
`2155`	`2166`	`been entered.`

`‎src/backend/libpq/be-secure-openssl.c`

Lines changed: 28 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -206,21 +206,44 @@ be_tls_init(void)`
`206`	`206`	`errmsg("could not access private key file \"%s\": %m",`
`207`	`207`	`ssl_key_file)));`
`208`	`208`
	`209`	`+if (!S_ISREG(buf.st_mode))`
	`210`	`+ereport(FATAL,`
	`211`	`+(errcode(ERRCODE_CONFIG_FILE_ERROR),`
	`212`	`+errmsg("private key file \"%s\" is not a regular file",`
	`213`	`+ssl_key_file)));`
	`214`	`+`
	`215`	`+/*`
	`216`	`+ * Refuse to load files owned by users other than us or root.`
	`217`	`+ *`
	`218`	`+ * XXX surely we can check this on Windows somehow, too.`
	`219`	`+ */`
	`220`	`+#if !defined(WIN32)&& !defined(__CYGWIN__)`
	`221`	`+if (buf.st_uid!=geteuid()&&buf.st_uid!=0)`
	`222`	`+ereport(FATAL,`
	`223`	`+(errcode(ERRCODE_CONFIG_FILE_ERROR),`
	`224`	`+errmsg("private key file \"%s\" must be owned by the database user or root",`
	`225`	`+ssl_key_file)));`
	`226`	`+#endif`
	`227`	`+`
`209`	`228`	`/*`
`210`		`- * Require no public access to key file.`
	`229`	`+ * Require no public access to key file. If the file is owned by us,`
	`230`	`+ * require mode 0600 or less. If owned by root, require 0640 or less`
	`231`	`+ * to allow read access through our gid, or a supplementary gid that`
	`232`	`+ * allows to read system-wide certificates.`
`211`	`233`	`*`
`212`	`234`	`* XXX temporarily suppress check when on Windows, because there may`
`213`	`235`	`* not be proper support for Unix-y file permissions. Need to think`
`214`	`236`	`* of a reasonable check to apply on Windows. (See also the data`
`215`	`237`	`* directory permission check in postmaster.c)`
`216`	`238`	`*/`
`217`	`239`	`#if !defined(WIN32)&& !defined(__CYGWIN__)`
`218`		`-if (!S_ISREG(buf.st_mode)\|\|buf.st_mode& (S_IRWXG \|S_IRWXO))`
	`240`	`+if ((buf.st_uid==geteuid()&&buf.st_mode& (S_IRWXG \|S_IRWXO))\|\|`
	`241`	`+(buf.st_uid==0&&buf.st_mode& (S_IWGRP \|S_IXGRP \|S_IRWXO)))`
`219`	`242`	`ereport(FATAL,`
`220`	`243`	`(errcode(ERRCODE_CONFIG_FILE_ERROR),`
`221`		`-errmsg("private key file \"%s\" has group or world access",`
`222`		`-ssl_key_file),`
`223`		`-errdetail("Permissions should beu=rw (0600) or less.")));`
	`244`	`+errmsg("private key file \"%s\" has group or world access",`
	`245`	`+ssl_key_file),`
	`246`	`+errdetail("File must have permissionsu=rw (0600) or less if owned by the database user, or permissions u=rw,g=r (0640) or less if owned by root.")));`
`224`	`247`	`#endif`
`225`	`248`
`226`	`249`	`if (SSL_CTX_use_PrivateKey_file(SSL_context,`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit9a83564

File tree

2 files changed

2 files changed

`‎doc/src/sgml/runtime.sgml`

`‎src/backend/libpq/be-secure-openssl.c`

0 commit comments