Re: Unable to connect to PostgreSQL DB as root user when private key is owned by root with permission 640
David Steele <david@pgmasters.net>
From: David Steele <david@pgmasters.net>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: "Suralkar, Yogendra (Yogendra)" <suralkary@avaya.com>,
"pgsql-bugs@lists.postgresql.org" <pgsql-bugs@lists.postgresql.org>,
"Porob, Dattaram (Datta)" <porobd@avaya.com>,
"Oswal, Prashant (Prashant) **CTR**" <poswal@avaya.com>,
"Patil, Parag (Parag)" <paragp@avaya.com>,
"Devaraj, Sankar (Sankar)" <devarajs@avaya.com>,
"Singh, Payal (Payal) **CTR**" <payals@avaya.com>
Date: 2022-05-26T20:01:49Z
Lists: pgsql-bugs
On 5/26/22 2:16 PM, Tom Lane wrote: > David Steele <david@pgmasters.net> writes: >> On 5/24/22 16:05, Tom Lane wrote: >>> After further poking at this, I see that we also have to drop the check of >>> file ownership. That was already dropped once long ago (3405f2b9253), on >>> the grounds that if the file has suitable permissions but its ownership >>> isn't what we expect then our read attempt will fail, so we needn't check >>> ownership explicitly. While I'd prefer a more explicit error than the >>> "Permission denied" that you get with this approach, the intent of this >>> patch was not to create any new failure modes, so I think we're stuck >>> with that. > >> That makes sense. Seems I should have dug further into why the server >> does this but the client does not. > > Pushed that. Excellent. Thank you! >>> Open questions: >>> * This puts us back into a situation where the frontend and server tests >>> are not in sync. Do we want to relax the server's checks to match this, >>> or just leave that side as it stands? > >> I'm inclined to leave it as is in the back branches to avoid any other >> unintended consequences. Perhaps we could make the change for PG15? > > Yeah, I'm unenthused now about touching this in the back branches. > But do we want to do it in HEAD, or just leave well enough alone? After thinking on it for a bit I believe we should leave well enough alone. This code is rarely touched so I don't think it's a very big deal. Regards, -- -David david@pgmasters.net
Commits
-
Remove misguided SSL key file ownership check in libpq.
- ef54a65762f0 10.22 landed
- b4be4a082bde 14.4 landed
- a44bc8b8f421 11.17 landed
- 9e3dbc6fd9a3 13.8 landed
- 2b65de7fc296 15.0 landed
- 01ab9fb7dee5 12.12 landed