Search Postgresql Archives

Re: [pgadmin-hackers] file permission on ssl key

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 04/23/2017 07:42 PM, Ashesh Vashi wrote:
Hi Jeroen,

This is pgAdmin hackers list.
Please send mail to pgsql-general@xxxxxxxxxxxxxx
<mailto:pgsql-general@xxxxxxxxxxxxxx> mailing list for your postgresql
related queries.

--

Thanks & Regards,

Ashesh Vashi
EnterpriseDB INDIA: Enterprise PostgreSQL Company
<http://www.enterprisedb.com>


/http://www.linkedin.com/in/asheshvashi/


On Sun, Apr 23, 2017 at 11:25 PM, Jeroen Jacobs
<jeroen.jacobs@xxxxxxxxxxxxxx <mailto:jeroen.jacobs@xxxxxxxxxxxxxx>> wrote:

    Hi,

    I'm getting this error when I try to configure ssl with postgres:

What version of Postgres?

https://www.postgresql.org/docs/9.6/static/release-9-6.html

"Allow the server's SSL key file to have group read access if it is owned by root (Christoph Berg)

Formerly, we insisted the key file be owned by the user running the PostgreSQL server, but that is inconvenient on some systems (such as Debian) that are configured to manage certificates centrally. Therefore, allow the case where the key file is owned by root and has group read access. It is up to the operating system administrator to ensure that the group does not include any untrusted users.
"


    pr 23 13:12:47 pgmaster01 pg_ctl: FATAL:  private key file
    "/etc/ssl/pgmaster01-key.pem" has group or world access
    Apr 23 13:12:47 pgmaster01 pg_ctl: DETAIL:  Permissions should be
    u=rw (0600) or less.

    The actual permission is:

    centos@pgmaster01 ~]$ ls -l /etc/ssl/pgmaster01-key.pem
    -r--r----- 1 root ssl-read 3243 Apr 23 00:00 /etc/ssl/pgmaster01-key.pem

    postgres user is part of the ssl-read group. Thi ssl key is shared
    with other software as well, so giving exclusive access to the
    postgres user is NOT an option.

    I understand why postgres complains, but I'm pretty sure about what
    I'm doing here. How can I tell postgres to start anyway, even when
    it doesn't like those permissions? There should be a way to override
    this, I'm the admin here, it's up to me to decide to implement my
    security setup, not the software itself.

    So basically I have three options:

    - don't use ssl at all (not an option at all, actually)
    - create a separate copy of my ssl key file with the correct
    permissions that postgres likes (ugly workaround)
    - use another database server which allows me to configure it how I
    want it.

    I'm actually considering settling for the last solution, due to this
    crazy restriction you put in place...


    Regards,

    Jeroen.




--
Adrian Klaver
adrian.klaver@xxxxxxxxxxx


--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]

  Powered by Linux