*
*
* IDENTIFICATION
- * $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.3 2002/06/14 04:33:53 momjian Exp $
+ * $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.4 2002/06/14 04:35:02 momjian Exp $
*
* Since the server static private key ($DataDir/server.key)
* will normally be stored unencrypted so that the database
* [ ] use 'random' file, read from '/dev/urandom?'
* [*] emphermal DH keys, default values
* [*] periodic renegotiation
- * [ ] private key permissions
+ * [*] private key permissions
*
* milestone 4: provide endpoint authentication (client)
* [ ] server verifies client certificates
fnbuf, SSLerrmessage());
ExitPostmaster(1);
}
+
snprintf(fnbuf, sizeof(fnbuf), "%s/server.key", DataDir);
+ if (lstat(fnbuf, &buf) == -1)
+ {
+ postmaster_error("failed to stat private key file (%s): %s",
+ fnbuf, strerror(errno));
+ ExitPostmaster(1);
+ }
+ if (!S_ISREG(buf.st_mode) || (buf.st_mode & 0077) ||
+ buf.st_uid != getuid())
+ {
+ postmaster_error("bad permissions on private key file (%s)", fnbuf);
+ ExitPostmaster(1);
+ }
if (!SSL_CTX_use_PrivateKey_file(SSL_context, fnbuf, SSL_FILETYPE_PEM))
{
postmaster_error("failed to load private key file (%s): %s",