open-dsi
/
postgres
mirror of https://github.com/postgres/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Make be-secure-common.c more consistent for future SSL implementations

Browse Source 
Recent commit 8a3d9425 has introduced be-secure-common.c, which is aimed
at including backend-side APIs that can be used by any SSL
implementation.  The purpose is similar to fe-secure-common.c for the
frontend-side APIs.

However, this has forgotten to include check_ssl_key_file_permissions()
in the move, which causes a double dependency between be-secure.c and
be-secure-openssl.c.

Refactor the code in a more logical way.  This also puts into light an
API which is usable by future SSL implementations for permissions on SSL
key files.

Author: Michael Paquier <michael@paquier.xyz>
pull/27/merge
Peter Eisentraut 8 years ago
parent 7e0d64c7a5
commit 2764d5dcfa
3 changed files with 76 additions and 70 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 74
      src/backend/libpq/be-secure-common.c
  2. 69
      src/backend/libpq/be-secure.c
  3. 3
      src/include/libpq/libpq.h

74
src/backend/libpq/be-secure-common.c
Unescape View File

@ -19,6 +19,9 @@
#include "postgres.h" #include "postgres.h"
#include <sys/stat.h>
#include <unistd.h>
#include "libpq/libpq.h" #include "libpq/libpq.h"
#include "storage/fd.h" #include "storage/fd.h"
@ -118,3 +121,74 @@ error:
pfree(command.data); pfree(command.data);
return len; return len;
} }
/*
* Check permissions for SSL key files.
*/
bool
check_ssl_key_file_permissions(const char *ssl_key_file, bool isServerStart)
{
int loglevel = isServerStart ? FATAL : LOG;
struct stat buf;
if (stat(ssl_key_file, &buf) != 0)
{
ereport(loglevel,
(errcode_for_file_access(),
errmsg("could not access private key file \"%s\": %m",
ssl_key_file)));
return false;
}
if (!S_ISREG(buf.st_mode))
{
ereport(loglevel,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("private key file \"%s\" is not a regular file",
ssl_key_file)));
return false;
}
/*
* Refuse to load key files owned by users other than us or root.
*
* XXX surely we can check this on Windows somehow, too.
*/
#if !defined(WIN32) && !defined(__CYGWIN__)
if (buf.st_uid != geteuid() && buf.st_uid != 0)
{
ereport(loglevel,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("private key file \"%s\" must be owned by the database user or root",
ssl_key_file)));
return false;
}
#endif
/*
* Require no public access to key file. If the file is owned by us,
* require mode 0600 or less. If owned by root, require 0640 or less to
* allow read access through our gid, or a supplementary gid that allows
* to read system-wide certificates.
*
* XXX temporarily suppress check when on Windows, because there may not
* be proper support for Unix-y file permissions. Need to think of a
* reasonable check to apply on Windows. (See also the data directory
* permission check in postmaster.c)
*/
#if !defined(WIN32) && !defined(__CYGWIN__)
if ((buf.st_uid == geteuid() && buf.st_mode & (S_IRWXG | S_IRWXO)) ||
(buf.st_uid == 0 && buf.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO)))
{
ereport(loglevel,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("private key file \"%s\" has group or world access",
ssl_key_file),
errdetail("File must have permissions u=rw (0600) or less if owned by the database user, or permissions u=rw,g=r (0640) or less if owned by root.")));
return false;
}
#endif
return true;
}

69
src/backend/libpq/be-secure.c
Unescape View File

@ -18,12 +18,10 @@
#include "postgres.h" #include "postgres.h"
#include <sys/stat.h>
#include <signal.h> #include <signal.h>
#include <fcntl.h> #include <fcntl.h>
#include <ctype.h> #include <ctype.h>
#include <sys/socket.h> #include <sys/socket.h>
#include <unistd.h>
#include <netdb.h> #include <netdb.h>
#include <netinet/in.h> #include <netinet/in.h>
#ifdef HAVE_NETINET_TCP_H #ifdef HAVE_NETINET_TCP_H
@ -320,70 +318,3 @@ secure_raw_write(Port *port, const void *ptr, size_t len)
return n; return n;
} }
bool
check_ssl_key_file_permissions(const char *ssl_key_file, bool isServerStart)
{
int loglevel = isServerStart ? FATAL : LOG;
struct stat buf;
if (stat(ssl_key_file, &buf) != 0)
{
ereport(loglevel,
(errcode_for_file_access(),
errmsg("could not access private key file \"%s\": %m",
ssl_key_file)));
return false;
}
if (!S_ISREG(buf.st_mode))
{
ereport(loglevel,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("private key file \"%s\" is not a regular file",
ssl_key_file)));
return false;
}
/*
* Refuse to load key files owned by users other than us or root.
*
* XXX surely we can check this on Windows somehow, too.
*/
#if !defined(WIN32) && !defined(__CYGWIN__)
if (buf.st_uid != geteuid() && buf.st_uid != 0)
{
ereport(loglevel,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("private key file \"%s\" must be owned by the database user or root",
ssl_key_file)));
return false;
}
#endif
/*
* Require no public access to key file. If the file is owned by us,
* require mode 0600 or less. If owned by root, require 0640 or less to
* allow read access through our gid, or a supplementary gid that allows
* to read system-wide certificates.
*
* XXX temporarily suppress check when on Windows, because there may not
* be proper support for Unix-y file permissions. Need to think of a
* reasonable check to apply on Windows. (See also the data directory
* permission check in postmaster.c)
*/
#if !defined(WIN32) && !defined(__CYGWIN__)
if ((buf.st_uid == geteuid() && buf.st_mode & (S_IRWXG | S_IRWXO)) ||
(buf.st_uid == 0 && buf.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO)))
{
ereport(loglevel,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("private key file \"%s\" has group or world access",
ssl_key_file),
errdetail("File must have permissions u=rw (0600) or less if owned by the database user, or permissions u=rw,g=r (0640) or less if owned by root.")));
return false;
}
#endif
return true;
}

3
src/include/libpq/libpq.h
Unescape View File

@ -92,7 +92,6 @@ extern ssize_t secure_read(Port *port, void *ptr, size_t len);
extern ssize_t secure_write(Port *port, void *ptr, size_t len); extern ssize_t secure_write(Port *port, void *ptr, size_t len);
extern ssize_t secure_raw_read(Port *port, void *ptr, size_t len); extern ssize_t secure_raw_read(Port *port, void *ptr, size_t len);
extern ssize_t secure_raw_write(Port *port, const void *ptr, size_t len); extern ssize_t secure_raw_write(Port *port, const void *ptr, size_t len);
extern bool check_ssl_key_file_permissions(const char *ssl_key_file, bool isServerStart);
extern bool ssl_loaded_verify_locations; extern bool ssl_loaded_verify_locations;
@ -108,5 +107,7 @@ extern bool SSLPreferServerCiphers;
*/ */
extern int run_ssl_passphrase_command(const char *prompt, bool is_server_start, extern int run_ssl_passphrase_command(const char *prompt, bool is_server_start,
char *buf, int size); char *buf, int size);
extern bool check_ssl_key_file_permissions(const char *ssl_key_file,
bool isServerStart);
#endif /* LIBPQ_H */ #endif /* LIBPQ_H */

Write Preview
Loading…
Cancel
Save