Re: Relaxing SSL key permission checks

Re: Tom Lane 2016-02-18 <27423.1455809676@sss.pgh.pa.us>
> I did have a thought though: could we allow two distinct permissions
> configurations?  That is, allow either:
>
> * file is owned by us, mode 0600 or less
>
> * file is owned by root, mode 0640 or less
>
> The first case is what we allow today.  (We don't need an explicit
> ownership check; if the mode is 0600 and we can read it, we must be
> the owner.)  The second case is what Debian wants.  We already know
> we are not root, so if we can read the file, we must be part of the
> group that root has allowed to read the file, and at that point it's
> on root's head whether or not that group is secure.  I don't have a
> problem with trusting root's judgment on security matters --- if the
> root admin is incompetent, there are probably holes everywhere anyway.

Makes sense to me.

> The problem with the proposed patch is that it's conflating these
> distinct cases, but that's easily fixed.

Updated patch attached.

Christoph
--
cb@df7cb.de | http://www.df7cb.de/