Re: [GENERAL] SAST FATAL: could not access private key file "server.key"

Wed, 02 Jul 2008 07:18:22 -0700 

Dave Coventry wrote:
>> If you want SSL,
>> 2) Is there a file server.key? If yes, make it readable to the
>>   postgres user. If not, create it as documented.
> 
> Here is the contents of my /var/lib/postgresql/8.2/main/ :
> 
> [EMAIL PROTECTED]:/var/lib/postgresql/8.2/main# ls -l
> total 9
> drwx------ 7 postgres postgres 168 2008-06-29 11:27 base
> drwx------ 2 postgres postgres 768 2008-06-30 13:01 global
> drwx------ 2 postgres postgres  72 2008-06-24 09:37 pg_clog
> drwx------ 4 postgres postgres  96 2008-06-24 09:37 pg_multixact
> drwx------ 2 postgres postgres  72 2008-06-24 09:37 pg_subtrans
> drwx------ 2 postgres postgres  48 2008-06-24 09:37 pg_tblspc
> drwx------ 2 postgres postgres  48 2008-06-24 09:37 pg_twophase
> -rw------- 1 postgres postgres   4 2008-06-24 09:37 PG_VERSION
> drwx------ 3 postgres postgres 120 2008-06-24 09:37 pg_xlog
> -rw------- 1 postgres postgres 125 2008-06-30 08:59 postmaster.opts
> lrwxrwxrwx 1 root     root      31 2008-06-24 09:37 root.crt ->
> /etc/postgresql-common/root.crt
> lrwxrwxrwx 1 root     root      36 2008-06-24 09:37 server.crt ->
> /etc/ssl/certs/ssl-cert-snakeoil.pem
> lrwxrwxrwx 1 root     root      38 2008-06-24 09:37 server.key ->
> /etc/ssl/private/ssl-cert-snakeoil.key
> 
> 'server.key' seems to be writable to all and sundry, although the file
> it is linked to (ssl-cert-snakeoil.key) is not:
> 
> 
> [EMAIL PROTECTED]:/etc/ssl/private# ls -l
> total 4
> -rw------- 1 root ssl-cert 887 2008-06-11 12:18 ssl-cert-snakeoil.key

You will need to give postgres read permission to 
/etc/ssl/private/ssl-cert-snakeoil.key
This also means to give 'traverse directory' (x) permissions
on all the directories in the path to user postgres.

You can test it by becoming user postgres and trying to 'cat' the file.

Was it you who set up the system like that?
Maybe there are good reasons why the key file is only accessible by root.
Maybe you shouldn't use this file as your server key.
But these are considerations beyond my view here.

Yours,
Laurenz Albe

-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Reply via email to