diff options
| author | Peter Eisentraut <peter_e@gmx.net> | 2016-03-19 11:03:22 +0100 |
|---|---|---|
| committer | Peter Eisentraut <peter_e@gmx.net> | 2016-03-19 11:03:22 +0100 |
| commit | 9a83564c58b7f6363141a8f1d0c87c89a5ebab5d (patch) | |
| tree | d2384dd046c095d689fea1a8a395e1729bce8939 /src/backend/libpq/be-secure-openssl.c | |
| parent | 6eb2be15b5d24b98d334a9dd637f0edb37e2eb7e (diff) | |
| download | postgresql-9a83564c58b7f6363141a8f1d0c87c89a5ebab5d.tar.gz postgresql-9a83564c58b7f6363141a8f1d0c87c89a5ebab5d.zip | |
Allow SSL server key file to have group read access if owned by root
We used to require the server key file to have permissions 0600 or less
for best security. But some systems (such as Debian) have certificate
and key files managed by the operating system that can be shared with
other services. In those cases, the "postgres" user is made a member of
a special group that has access to those files, and the server key file
has permissions 0640. To accommodate that kind of setup, also allow the
key file to have permissions 0640 but only if owned by root.
From: Christoph Berg <myon@debian.org>
Reviewed-by: Alvaro Herrera <alvherre@alvh.no-ip.org>
Diffstat (limited to 'src/backend/libpq/be-secure-openssl.c')
| -rw-r--r-- | src/backend/libpq/be-secure-openssl.c | 33 |
1 files changed, 28 insertions, 5 deletions
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 1e3dfb6b3aa..600966347e6 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -206,8 +206,30 @@ be_tls_init(void) errmsg("could not access private key file \"%s\": %m", ssl_key_file))); + if (!S_ISREG(buf.st_mode)) + ereport(FATAL, + (errcode(ERRCODE_CONFIG_FILE_ERROR), + errmsg("private key file \"%s\" is not a regular file", + ssl_key_file))); + + /* + * Refuse to load files owned by users other than us or root. + * + * XXX surely we can check this on Windows somehow, too. + */ +#if !defined(WIN32) && !defined(__CYGWIN__) + if (buf.st_uid != geteuid() && buf.st_uid != 0) + ereport(FATAL, + (errcode(ERRCODE_CONFIG_FILE_ERROR), + errmsg("private key file \"%s\" must be owned by the database user or root", + ssl_key_file))); +#endif + /* - * Require no public access to key file. + * Require no public access to key file. If the file is owned by us, + * require mode 0600 or less. If owned by root, require 0640 or less + * to allow read access through our gid, or a supplementary gid that + * allows to read system-wide certificates. * * XXX temporarily suppress check when on Windows, because there may * not be proper support for Unix-y file permissions. Need to think @@ -215,12 +237,13 @@ be_tls_init(void) * directory permission check in postmaster.c) */ #if !defined(WIN32) && !defined(__CYGWIN__) - if (!S_ISREG(buf.st_mode) || buf.st_mode & (S_IRWXG | S_IRWXO)) + if ((buf.st_uid == geteuid() && buf.st_mode & (S_IRWXG | S_IRWXO)) || + (buf.st_uid == 0 && buf.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO))) ereport(FATAL, (errcode(ERRCODE_CONFIG_FILE_ERROR), - errmsg("private key file \"%s\" has group or world access", - ssl_key_file), - errdetail("Permissions should be u=rw (0600) or less."))); + errmsg("private key file \"%s\" has group or world access", + ssl_key_file), + errdetail("File must have permissions u=rw (0600) or less if owned by the database user, or permissions u=rw,g=r (0640) or less if owned by root."))); #endif if (SSL_CTX_use_PrivateKey_file(SSL_context, |