Re: Allow root ownership of client certificate key
David Steele <david@pgmasters.net>
From: David Steele <david@pgmasters.net>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Stephen Frost <sfrost@snowman.net>,
PostgreSQL Developers <pgsql-hackers@lists.postgresql.org>
Date: 2022-02-16T18:57:15Z
Lists: pgsql-hackers
Attachments
- client-key-perm-003.patch (text/plain) patch
Hi Tom,
On 1/18/22 14:41, Tom Lane wrote:
> David Steele <david@pgmasters.net> writes:
>> [ client-key-perm-002.patch ]
>
> I took a quick look at this and agree with the proposed behavior
> change, but also with your self-criticisms:
>
>> We may want to do the same on the server side to make the code blocks
>> look more similar.
>>
>> Also, on the server side the S_ISREG() check gets its own error and that
>> might be a good idea on the client side as well. As it is, the error
>> message on the client is going to be pretty confusing in this case.
>
> Particularly, I think the S_ISREG check should happen before any
> ownership/permissions checks; it just seems saner that way.
The two blocks of code now look pretty much identical except for error
handling and the reference to the other file. Also, the indentation for
the comment on the server side is less but I kept the comment formatting
the same to make it easier to copy the comment back and forth.
> The only other nitpick I have is that I'd make the cross-references be
> to the two file names, ie like "Note that similar checks are performed
> in fe-secure-openssl.c ..." References to the specific functions seem
> likely to bit-rot in the face of future code rearrangements.
> I suppose filename references could become obsolete too, but it
> seems less likely.
Updated these to reference the file instead of the function.
I still don't think we can commit the test for root ownership, but
testing it manually got a whole lot easier after the refactor in
c3b34a0f. Before that you had to hack up the source tree, which is a
pain depending on how it is mounted (I'm testing in a container).
So, to test the new functionality, just add this snippet on line 57 of
001_ssltests.pl:
chmod 0640, "$cert_tempdir/client.key"
or die "failed to change permissions on $cert_tempdir/client.key: $!";
system_or_bail("sudo chown root $cert_tempdir/client.key");
If you can think of a way to add this to the tests I'm all ears. Perhaps
we could add these lines commented out and explain what they are for?
Regards,
-David
Commits
-
Allow root-owned SSL private keys in libpq, not only the backend.
- 9050999efea7 10.21 landed
- 72918ea86cb9 12.11 landed
- 6599d8f12642 13.7 landed
- 5bb3d91ea926 11.16 landed
- 2a1f84636dc3 14.3 landed
- a59c79564bdc 15.0 landed
-
Doc: update libpq.sgml for root-owned SSL private keys.
- 50f03473ed81 15.0 landed