On 04/23/2017 07:42 PM, Ashesh Vashi wrote:
> Hi Jeroen,
>
> This is pgAdmin hackers list.
> Please send mail to pgsql-general@postgresql.org
> <mailto:pgsql-general@postgresql.org> mailing list for your postgresql
> related queries.
>
> --
>
> Thanks & Regards,
>
> Ashesh Vashi
> EnterpriseDB INDIA: Enterprise PostgreSQL Company
> <http://www.enterprisedb.com>
>
>
> /http://www.linkedin.com/in/asheshvashi/
>
>
> On Sun, Apr 23, 2017 at 11:25 PM, Jeroen Jacobs
> <jeroen.jacobs@headincloud.be <mailto:jeroen.jacobs@headincloud.be>> wrote:
>
> Hi,
>
> I'm getting this error when I try to configure ssl with postgres:
What version of Postgres?
https://www.postgresql.org/docs/9.6/static/release-9-6.html
"Allow the server's SSL key file to have group read access if it is
owned by root (Christoph Berg)
Formerly, we insisted the key file be owned by the user running the
PostgreSQL server, but that is inconvenient on some systems (such as
Debian) that are configured to manage certificates centrally. Therefore,
allow the case where the key file is owned by root and has group read
access. It is up to the operating system administrator to ensure that
the group does not include any untrusted users.
"
>
> pr 23 13:12:47 pgmaster01 pg_ctl: FATAL: private key file
> "/etc/ssl/pgmaster01-key.pem" has group or world access
> Apr 23 13:12:47 pgmaster01 pg_ctl: DETAIL: Permissions should be
> u=rw (0600) or less.
>
> The actual permission is:
>
> centos@pgmaster01 ~]$ ls -l /etc/ssl/pgmaster01-key.pem
> -r--r----- 1 root ssl-read 3243 Apr 23 00:00 /etc/ssl/pgmaster01-key.pem
>
> postgres user is part of the ssl-read group. Thi ssl key is shared
> with other software as well, so giving exclusive access to the
> postgres user is NOT an option.
>
> I understand why postgres complains, but I'm pretty sure about what
> I'm doing here. How can I tell postgres to start anyway, even when
> it doesn't like those permissions? There should be a way to override
> this, I'm the admin here, it's up to me to decide to implement my
> security setup, not the software itself.
>
> So basically I have three options:
>
> - don't use ssl at all (not an option at all, actually)
> - create a separate copy of my ssl key file with the correct
> permissions that postgres likes (ugly workaround)
> - use another database server which allows me to configure it how I
> want it.
>
> I'm actually considering settling for the last solution, due to this
> crazy restriction you put in place...
>
>
> Regards,
>
> Jeroen.
>
>
--
Adrian Klaver
adrian.klaver@aklaver.com