> It flies in the face of security concerns, and your arguments in favor of it are pretty thin. To me the existing check looked pretty lose and I am probably not fully aware of the security constraints here, hence the suggested patch.
> Really? It's based on fstat which is going to check the actually-opened file. My bad, I was testing with group read permission, before realizing that those aren't allowed either. > Another idea could be to fail the connection instead of treating this as a warning condition. As noted in the proposal, if the check stays I'd argue that it should be an error. I can't imaging a case where the user is happy with specifying a passfile and have it be ignored, but maybe somebody can think of a scenario. Other permission checks are already errors (as in /src/interfaces/libpq/fe-secure-openssl.c:1269) > But I imagine that if the passfile would actually be used, the connection would fail anyway. I'm not sure I am following. Yes, the authentication doesn't work without the passfile, but error cause message and error effect messages are disconnected in the logs. > We could certainly have a discussion about whether the scenario being catered to there (a root-owned file that we have group access to) is sensible for password files. In Kubernetes, when setting "defaultMode: 0400" and "securityContext.fsGroup: 2000" to mount a file for example you end up with the minimal permissions on the mounted file: -r--r----- 1 root 2000 90 Sep 1 14:42 password This is just one example use case, I'd imaging others can think of more. Maybe someone is running a database server and client application with separate users on a system and symlinks the passfile or references it by path to have a single source of truth. > In general I'm open to carefully-thought-out improvements to this check Converting the warning to an error and allowing group read permissions would be a solid solution IMO. If that turns out to be accepted, I'd be happy to update the patch but I have no experience with the codebase, nor professional C experience. I can give it a try, but it might be easier for everyone if someone more familiar with the code implements the change. Let me know how to proceed. Kind regards Paul Ohlhauser PS: > please use an email agent that provides References Sorry I switched email addresses after my first mail and hoped it would connect the thread. I wont be switching addresses again any time soon
