Re: Unable to connect to PostgreSQL DB as root user when private key is owned by root with permission 640

David Steele <david@pgmasters.net>

From: David Steele <david@pgmasters.net>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: "Suralkar, Yogendra (Yogendra)" <suralkary@avaya.com>, "pgsql-bugs@lists.postgresql.org" <pgsql-bugs@lists.postgresql.org>, "Porob, Dattaram (Datta)" <porobd@avaya.com>, "Oswal, Prashant (Prashant) **CTR**" <poswal@avaya.com>, "Patil, Parag (Parag)" <paragp@avaya.com>, "Devaraj, Sankar (Sankar)" <devarajs@avaya.com>, "Singh, Payal (Payal) **CTR**" <payals@avaya.com>
Date: 2022-05-26T20:01:49Z
Lists: pgsql-bugs
On 5/26/22 2:16 PM, Tom Lane wrote:
> David Steele <david@pgmasters.net> writes:
>> On 5/24/22 16:05, Tom Lane wrote:
>>> After further poking at this, I see that we also have to drop the check of
>>> file ownership.  That was already dropped once long ago (3405f2b9253), on
>>> the grounds that if the file has suitable permissions but its ownership
>>> isn't what we expect then our read attempt will fail, so we needn't check
>>> ownership explicitly.  While I'd prefer a more explicit error than the
>>> "Permission denied" that you get with this approach, the intent of this
>>> patch was not to create any new failure modes, so I think we're stuck
>>> with that.
> 
>> That makes sense. Seems I should have dug further into why the server
>> does this but the client does not.
> 
> Pushed that.

Excellent. Thank you!

>>> Open questions:
>>> * This puts us back into a situation where the frontend and server tests
>>> are not in sync.  Do we want to relax the server's checks to match this,
>>> or just leave that side as it stands?
> 
>> I'm inclined to leave it as is in the back branches to avoid any other
>> unintended consequences. Perhaps we could make the change for PG15?
> 
> Yeah, I'm unenthused now about touching this in the back branches.
> But do we want to do it in HEAD, or just leave well enough alone?

After thinking on it for a bit I believe we should leave well enough 
alone. This code is rarely touched so I don't think it's a very big deal.

Regards,
-- 
-David
david@pgmasters.net



Commits

  1. Remove misguided SSL key file ownership check in libpq.