| Lists: | pgsql-committers |
|---|
| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | pgsql-committers(at)lists(dot)postgresql(dot)org |
| Subject: | pgsql: Allow root-owned SSL private keys in libpq, not only the backend |
| Date: | 2022-03-02 16:57:21 |
| Message-ID: | [email protected] |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Lists: | pgsql-committers |
Allow root-owned SSL private keys in libpq, not only the backend.
This change makes libpq apply the same private-key-file ownership
and permissions checks that we have used in the backend since commit
9a83564c5. Namely, that the private key can be owned by either the
current user or root (with different file permissions allowed in the
two cases). This allows system-wide management of key files, which
is just as sensible on the client side as the server, particularly
when the client is itself some application daemon.
Sync the comments about this between libpq and the backend, too.
Back-patch of a59c79564 and 50f03473e into all supported branches.
David Steele
Discussion: https://postgr.es/m/[email protected]
Branch
------
REL_13_STABLE
Modified Files
--------------
doc/src/sgml/libpq.sgml | 26 +++++++++++++++------
src/backend/libpq/be-secure-common.c | 28 +++++++++++-----------
src/interfaces/libpq/fe-secure-openssl.c | 40 +++++++++++++++++++++++++++++---
3 files changed, 69 insertions(+), 25 deletions(-)
| From: | Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-committers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: pgsql: Allow root-owned SSL private keys in libpq, not only the backend |
| Date: | 2022-03-31 07:34:24 |
| Message-ID: | [email protected] |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Lists: | pgsql-committers |
On 02.03.22 17:57, Tom Lane wrote:
> Allow root-owned SSL private keys in libpq, not only the backend.
>
> This change makes libpq apply the same private-key-file ownership
> and permissions checks that we have used in the backend since commit
> 9a83564c5. Namely, that the private key can be owned by either the
> current user or root (with different file permissions allowed in the
> two cases). This allows system-wide management of key files, which
> is just as sensible on the client side as the server, particularly
> when the client is itself some application daemon.
>
> Sync the comments about this between libpq and the backend, too.
>
> Back-patch of a59c79564 and 50f03473e into all supported branches.
I think this
libpq_gettext("private key file \"%s\" is not a regular file"),
should have a trailing newline in the string.
| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com> |
| Cc: | pgsql-committers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: pgsql: Allow root-owned SSL private keys in libpq, not only the backend |
| Date: | 2022-03-31 13:53:39 |
| Message-ID: | [email protected] |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Lists: | pgsql-committers |
Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com> writes:
> I think this
> libpq_gettext("private key file \"%s\" is not a regular file"),
> should have a trailing newline in the string.
Thanks, will fix.
regards, tom lane