be-secure-common.c File Reference

#include "postgres.h"
#include <sys/stat.h>
#include <unistd.h>
#include "common/string.h"
#include "libpq/libpq.h"
#include "storage/fd.h"

Include dependency graph for be-secure-common.c:

Go to the source code of this file.

Functions
int	run_ssl_passphrase_command (const char *prompt, bool is_server_start, char *buf, int size)
bool	check_ssl_key_file_permissions (const char *ssl_key_file, bool isServerStart)

Function Documentation

check_ssl_key_file_permissions()

bool check_ssl_key_file_permissions	(	const char *	ssl_key_file,
		bool	isServerStart
	)

Definition at line 132 of file be-secure-common.c.

References ereport, errcode(), errcode_for_file_access(), errdetail(), errmsg(), FATAL, LOG, S_IRWXG, S_IRWXO, S_ISREG, S_IWGRP, S_IXGRP, stat::st_mode, stat::st_uid, and stat.

Referenced by be_tls_init().

{
    int         loglevel = isServerStart ? FATAL : LOG;
    struct stat buf;

    if (stat(ssl_key_file, &buf) != 0)
    {
        ereport(loglevel,
                (errcode_for_file_access(),
                 errmsg("could not access private key file \"%s\": %m",
                        ssl_key_file)));
        return false;
    }

    if (!S_ISREG(buf.st_mode))
    {
        ereport(loglevel,
                (errcode(ERRCODE_CONFIG_FILE_ERROR),
                 errmsg("private key file \"%s\" is not a regular file",
                        ssl_key_file)));
        return false;
    }

    /*
     * Refuse to load key files owned by users other than us or root.
     *
     * XXX surely we can check this on Windows somehow, too.
     */
#if !defined(WIN32) && !defined(__CYGWIN__)
    if (buf.st_uid != geteuid() && buf.st_uid != 0)
    {
        ereport(loglevel,
                (errcode(ERRCODE_CONFIG_FILE_ERROR),
                 errmsg("private key file \"%s\" must be owned by the database user or root",
                        ssl_key_file)));
        return false;
    }
#endif

    /*
     * Require no public access to key file. If the file is owned by us,
     * require mode 0600 or less. If owned by root, require 0640 or less to
     * allow read access through our gid, or a supplementary gid that allows
     * to read system-wide certificates.
     *
     * XXX temporarily suppress check when on Windows, because there may not
     * be proper support for Unix-y file permissions.  Need to think of a
     * reasonable check to apply on Windows.  (See also the data directory
     * permission check in postmaster.c)
     */
#if !defined(WIN32) && !defined(__CYGWIN__)
    if ((buf.st_uid == geteuid() && buf.st_mode & (S_IRWXG | S_IRWXO)) ||
        (buf.st_uid == 0 && buf.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO)))
    {
        ereport(loglevel,
                (errcode(ERRCODE_CONFIG_FILE_ERROR),
                 errmsg("private key file \"%s\" has group or world access",
                        ssl_key_file),
                 errdetail("File must have permissions u=rw (0600) or less if owned by the database user, or permissions u=rw,g=r (0640) or less if owned by root.")));
        return false;
    }
#endif

    return true;
}

run_ssl_passphrase_command()

int run_ssl_passphrase_command	(	const char *	prompt,
		bool	is_server_start,
		char *	buf,
		int	size
	)

Definition at line 39 of file be-secure-common.c.

References appendStringInfoChar(), appendStringInfoString(), Assert, ClosePipeStream(), StringInfoData::data, ereport, errcode_for_file_access(), errdetail_internal(), errmsg(), ERROR, error(), explicit_bzero(), initStringInfo(), LOG, OpenPipeStream(), pfree(), pg_strip_crlf(), ssl_passphrase_command, and wait_result_to_str().

Referenced by ssl_external_passwd_cb().

{
    int         loglevel = is_server_start ? ERROR : LOG;
    StringInfoData command;
    char       *p;
    FILE       *fh;
    int         pclose_rc;
    size_t      len = 0;

    Assert(prompt);
    Assert(size > 0);
    buf[0] = '\0';

    initStringInfo(&command);

    for (p = ssl_passphrase_command; *p; p++)
    {
        if (p[0] == '%')
        {
            switch (p[1])
            {
                case 'p':
                    appendStringInfoString(&command, prompt);
                    p++;
                    break;
                case '%':
                    appendStringInfoChar(&command, '%');
                    p++;
                    break;
                default:
                    appendStringInfoChar(&command, p[0]);
            }
        }
        else
            appendStringInfoChar(&command, p[0]);
    }

    fh = OpenPipeStream(command.data, "r");
    if (fh == NULL)
    {
        ereport(loglevel,
                (errcode_for_file_access(),
                 errmsg("could not execute command \"%s\": %m",
                        command.data)));
        goto error;
    }

    if (!fgets(buf, size, fh))
    {
        if (ferror(fh))
        {
            explicit_bzero(buf, size);
            ereport(loglevel,
                    (errcode_for_file_access(),
                     errmsg("could not read from command \"%s\": %m",
                            command.data)));
            goto error;
        }
    }

    pclose_rc = ClosePipeStream(fh);
    if (pclose_rc == -1)
    {
        explicit_bzero(buf, size);
        ereport(loglevel,
                (errcode_for_file_access(),
                 errmsg("could not close pipe to external command: %m")));
        goto error;
    }
    else if (pclose_rc != 0)
    {
        explicit_bzero(buf, size);
        ereport(loglevel,
                (errcode_for_file_access(),
                 errmsg("command \"%s\" failed",
                        command.data),
                 errdetail_internal("%s", wait_result_to_str(pclose_rc))));
        goto error;
    }

    /* strip trailing newline and carriage return */
    len = pg_strip_crlf(buf);

error:
    pfree(command.data);
    return len;
}