Hi,
Currently the server insists on ssl_key_file's permissions to be 0600
or less, and be owned by the database user. Debian has been patching
be-secure.c since forever (the git history goes back to 8.2beta1) to
relax that to 0640 or less, and owned by root or the database user.
The reason for that is that we hooked the SSL certificate handling
into the system's /etc/ssl/ directory structure where private keys are
supposed to have permissions 0640 root:ssl-cert. The postgres user is
member of the ssl-cert group so it can read the key.
In the old days before 9.2 the server expected the SSL files in
PGDATA, and we created symlinks from there to /etc/ssl/. Since 9.2,
these certs are used in the ssl_*_file options.
Using symlinks in PGDATA to use system-wide certificates might have
been a hack, but with the "new" ssl_*_file options I think it might be
prudent to get the "allow group ssl-cert" patch upstreamed.
Comments? (There's no documentation yet, I'll add that if the feedback
is positive.)
Thanks,
Christoph