Re: [GENERAL] [pgadmin-hackers] file permission on ssl key

[Adrian Klaver]

On 04/23/2017 07:42 PM, Ashesh Vashi wrote:
Hi Jeroen,
This is pgAdmin hackers list.
Please send mail to pgsql-general@postgresql.org
<mailto:pgsql-general@postgresql.org> mailing list for your postgresql
related queries.

--

Thanks & Regards,

Ashesh Vashi
EnterpriseDB INDIA: Enterprise PostgreSQL Company
<http://www.enterprisedb.com>


/http://www.linkedin.com/in/asheshvashi/


On Sun, Apr 23, 2017 at 11:25 PM, Jeroen Jacobs
<jeroen.jac...@headincloud.be <mailto:jeroen.jac...@headincloud.be>> wrote:

    Hi,

    I'm getting this error when I try to configure ssl with postgres:

What version of Postgres?

https://www.postgresql.org/docs/9.6/static/release-9-6.html

"Allow the server's SSL key file to have group read access if it is 
owned by root (Christoph Berg)

Formerly, we insisted the key file be owned by the user running the 
PostgreSQL server, but that is inconvenient on some systems (such as 
Debian) that are configured to manage certificates centrally. Therefore, 
allow the case where the key file is owned by root and has group read 
access. It is up to the operating system administrator to ensure that 
the group does not include any untrusted users.
"


    pr 23 13:12:47 pgmaster01 pg_ctl: FATAL:  private key file
    "/etc/ssl/pgmaster01-key.pem" has group or world access
    Apr 23 13:12:47 pgmaster01 pg_ctl: DETAIL:  Permissions should be
    u=rw (0600) or less.

    The actual permission is:

    centos@pgmaster01 ~]$ ls -l /etc/ssl/pgmaster01-key.pem
    -r--r----- 1 root ssl-read 3243 Apr 23 00:00 /etc/ssl/pgmaster01-key.pem

    postgres user is part of the ssl-read group. Thi ssl key is shared
    with other software as well, so giving exclusive access to the
    postgres user is NOT an option.

    I understand why postgres complains, but I'm pretty sure about what
    I'm doing here. How can I tell postgres to start anyway, even when
    it doesn't like those permissions? There should be a way to override
    this, I'm the admin here, it's up to me to decide to implement my
    security setup, not the software itself.

    So basically I have three options:

    - don't use ssl at all (not an option at all, actually)
    - create a separate copy of my ssl key file with the correct
    permissions that postgres likes (ugly workaround)
    - use another database server which allows me to configure it how I
    want it.

    I'm actually considering settling for the last solution, due to this
    crazy restriction you put in place...


    Regards,

    Jeroen.




--
Adrian Klaver
adrian.kla...@aklaver.com


--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general