#ifdef out file permissions check on SSL key file when on Windows, as

we also have done for the data directory permissions check.

Dave Page

diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index 639b7a0245e727711411b91402860010d1cb950f..3f9e0a64da2bed2a064131cf661fa1d9ccd45129 100644 (file)
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -11,7 +11,7 @@
  *
  *
  * IDENTIFICATION
- *   $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.45 2003/12/18 22:49:26 tgl Exp $
+ *   $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.46 2004/06/25 15:07:52 tgl Exp $
  *
  *   Since the server static private key ($DataDir/server.key)
  *   will normally be stored unencrypted so that the database
@@ -650,6 +650,16 @@ initialize_SSL(void)
                    (errcode_for_file_access(),
                   errmsg("could not access private key file \"%s\": %m",
                          fnbuf)));
+
+       /* 
+        * Require no public access to key file.
+        *
+        * XXX temporarily suppress check when on Windows, because there may
+        * not be proper support for Unix-y file permissions.  Need to think
+        * of a reasonable check to apply on Windows.  (See also the data
+        * directory permission check in postmaster.c)
+        */
+#if !defined(__CYGWIN__) && !defined(WIN32)
        if (!S_ISREG(buf.st_mode) || (buf.st_mode & (S_IRWXG | S_IRWXO)) ||
            buf.st_uid != getuid())
            ereport(FATAL,
@@ -657,6 +667,7 @@ initialize_SSL(void)
                  errmsg("unsafe permissions on private key file \"%s\"",
                         fnbuf),
                     errdetail("File must be owned by the database user and must have no permissions for \"group\" or \"other\".")));
+#endif
 
        if (!SSL_CTX_use_PrivateKey_file(SSL_context, fnbuf, SSL_FILETYPE_PEM))
            ereport(FATAL,