|
11 | 11 | * |
12 | 12 | * |
13 | 13 | * IDENTIFICATION |
14 | | - * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.45 2003/12/18 22:49:26 tgl Exp $ |
| 14 | + * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.46 2004/06/25 15:07:52 tgl Exp $ |
15 | 15 | * |
16 | 16 | * Since the server static private key ($DataDir/server.key) |
17 | 17 | * will normally be stored unencrypted so that the database |
@@ -650,13 +650,24 @@ initialize_SSL(void) |
650 | 650 | (errcode_for_file_access(), |
651 | 651 | errmsg("could not access private key file \"%s\": %m", |
652 | 652 | fnbuf))); |
| 653 | + |
| 654 | +/* |
| 655 | + * Require no public access to key file. |
| 656 | + * |
| 657 | + * XXX temporarily suppress check when on Windows, because there may |
| 658 | + * not be proper support for Unix-y file permissions. Need to think |
| 659 | + * of a reasonable check to apply on Windows. (See also the data |
| 660 | + * directory permission check in postmaster.c) |
| 661 | + */ |
| 662 | +#if !defined(__CYGWIN__)&& !defined(WIN32) |
653 | 663 | if (!S_ISREG(buf.st_mode)|| (buf.st_mode& (S_IRWXG |S_IRWXO))|| |
654 | 664 | buf.st_uid!=getuid()) |
655 | 665 | ereport(FATAL, |
656 | 666 | (errcode(ERRCODE_CONFIG_FILE_ERROR), |
657 | 667 | errmsg("unsafe permissions on private key file \"%s\"", |
658 | 668 | fnbuf), |
659 | 669 | errdetail("File must be owned by the database user and must have no permissions for \"group\" or \"other\"."))); |
| 670 | +#endif |
660 | 671 |
|
661 | 672 | if (!SSL_CTX_use_PrivateKey_file(SSL_context,fnbuf,SSL_FILETYPE_PEM)) |
662 | 673 | ereport(FATAL, |
|