Bogus error message about private key (not a bug).

Hi there,

PostgreSQL 7.4.6 gives the following error message when trying to read the
private key in the case of:

-rw------- 1 root root 887 Aug 19 15:01 /var/lib/postgres/data/server.key

2004-11-13 13:04:42 [4095] FATAL: unsafe permissions on private key file
"/var/lib/postgres/data/server.key"
DETAIL: File must be owned by the database user and must have no permissions
for "group" or "other".

I believe that the checks in src/backend/libpq/be-secure.c:653 should be
performed in a different order (first the access permissions and then the
owner of the key) just to give a more appropriate message.

Thanks in advance,

<<V13>>

Stefanos Harhalakis <v13(at)priest(dot)com> writes:
> I believe that the checks in src/backend/libpq/be-secure.c:653 should be
> performed in a different order (first the access permissions and then the
> owner of the key) just to give a more appropriate message.

Changing the order of the tests wouldn't change the message, though,
'cause there's just one message. Are you suggesting more than one
message? Not sure it's worth the trouble ...

regards, tom lane

On Tuesday 16 November 2004 21:06, Tom Lane wrote:
> Stefanos Harhalakis <v13(at)priest(dot)com> writes:
> > I believe that the checks in src/backend/libpq/be-secure.c:653 should be
> > performed in a different order (first the access permissions and then the
> > owner of the key) just to give a more appropriate message.
>
> Changing the order of the tests wouldn't change the message, though,
> 'cause there's just one message. Are you suggesting more than one
> message? Not sure it's worth the trouble ...

I meant the next error message which says "could not load private key file".
This is from SSL_CTX_use_PrivateKey_file() so something like this:

--- be-secure.c.orig 2004-11-16 22:30:35.000000000 +0200
+++ be-secure.c 2004-11-16 22:32:42.000000000 +0200
@@ -650,6 +650,11 @@
(errcode_for_file_access(),
errmsg("could not access private key file \"%s\": %m",
fnbuf)));
+ if (!SSL_CTX_use_PrivateKey_file(SSL_context, fnbuf, SSL_FILETYPE_PEM))
+ ereport(FATAL,
+ (errmsg("could not load private key file \"%s\": %s",
+ fnbuf, SSLerrmessage())));
+
if (!S_ISREG(buf.st_mode) || (buf.st_mode & (S_IRWXG | S_IRWXO)) ||
buf.st_uid != getuid())
ereport(FATAL,
@@ -658,11 +663,6 @@
fnbuf),
errdetail("File must be owned by the database user and must have no permissions for \"group\" or \"other\".")));

- if (!SSL_CTX_use_PrivateKey_file(SSL_context, fnbuf, SSL_FILETYPE_PEM))
- ereport(FATAL,
- (errmsg("could not load private key file \"%s\": %s",
- fnbuf, SSLerrmessage())));
-
if (!SSL_CTX_check_private_key(SSL_context))
ereport(FATAL,
(errmsg("check of private key failed: %s",

could produce a more meaningfull message. (this places the
SSL_CTX_use_PrivateKey_file() call before the permissions check, but as you
said, this may not worth the trouble.

There is one more thing. Perhaps you may want to apply this:

--- be-secure.c.orig 2004-11-16 22:30:35.000000000 +0200
+++ be-secure.c.2 2004-11-16 22:35:45.000000000 +0200
@@ -651,7 +651,7 @@
errmsg("could not access private key file \"%s\": %m",
fnbuf)));
if (!S_ISREG(buf.st_mode) || (buf.st_mode & (S_IRWXG | S_IRWXO)) ||
- buf.st_uid != getuid())
+ (buf.st_uid != getuid() && buf.st_uid))
ereport(FATAL,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("unsafe permissions on private key file \"%s\"",

so that it will be possible to have a private key owned by root with strict
permissions where the access can be controled by ACLs. Using the existing
method it is not possible to have root owner and give postgresql
(and possibly others too) read permissions to the key using ACLs. I believe
that there will be cases where a server has one certificate only, for all of
its services, and the same private key will must be shared between
postgresql, apache, sendmail and possibly other programs.

<<V13>>