diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2022-05-26 14:14:05 -0400 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2022-05-26 14:14:05 -0400 |
| commit | 01ab9fb7dee5f9445bae94a942afb6ee9bcccd4f (patch) | |
| tree | 07cff0072e9983edb4c0bd6facf62f16b29c7383 /src/backend/libpq/be-secure-common.c | |
| parent | 4368ef21895968884bbba4127f6aed4ce5cb5218 (diff) | |
| download | postgresql-01ab9fb7dee5f9445bae94a942afb6ee9bcccd4f.tar.gz postgresql-01ab9fb7dee5f9445bae94a942afb6ee9bcccd4f.zip | |
Remove misguided SSL key file ownership check in libpq.
Commits a59c79564 et al. tried to sync libpq's SSL key file
permissions checks with what we've used for years in the backend.
We did not intend to create any new failure cases, but it turns out
we did: restricting the key file's ownership breaks cases where the
client is allowed to read a key file despite not having the identical
UID. In particular a client running as root used to be able to read
someone else's key file; and having seen that I suspect that there are
other, less-dubious use cases that this restriction breaks on some
platforms.
We don't really need an ownership check, since if we can read the key
file despite its having restricted permissions, it must have the right
ownership --- under normal conditions anyway, and the point of this
patch is that any additional corner cases where that works should be
deemed allowable, as they have been historically. Hence, just drop
the ownership check, and rearrange the permissions check to get rid
of its faulty assumption that geteuid() can't be zero. (Note that the
comparable backend-side code doesn't have to cater for geteuid() == 0,
since the server rejects that very early on.)
This does have the end result that the permissions safety check used
for a root user's private key file is weaker than that used for
anyone else's. While odd, root really ought to know what she's doing
with file permissions, so I think this is acceptable.
Per report from Yogendra Suralkar. Like the previous patch,
back-patch to all supported branches.
Discussion: https://postgr.es/m/MW3PR15MB3931DF96896DC36D21AFD47CA3D39@MW3PR15MB3931.namprd15.prod.outlook.com
Diffstat (limited to 'src/backend/libpq/be-secure-common.c')
| -rw-r--r-- | src/backend/libpq/be-secure-common.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/backend/libpq/be-secure-common.c b/src/backend/libpq/be-secure-common.c index d2b1a152c2e..06f472c14c3 100644 --- a/src/backend/libpq/be-secure-common.c +++ b/src/backend/libpq/be-secure-common.c @@ -159,9 +159,10 @@ check_ssl_key_file_permissions(const char *ssl_key_file, bool isServerStart) * allow read access through either our gid or a supplementary gid that * allows us to read system-wide certificates. * - * Note that similar checks are performed in + * Note that roughly similar checks are performed in * src/interfaces/libpq/fe-secure-openssl.c so any changes here may need - * to be made there as well. + * to be made there as well. The environment is different though; this + * code can assume that we're not running as root. * * Ideally we would do similar permissions checks on Windows, but it is * not clear how that would work since Unix-style permissions may not be |