be-secure-common.c

Go to the documentation of this file.

/*-------------------------------------------------------------------------
 *
 * be-secure-common.c
 *
 * common implementation-independent SSL support code
 *
 * While be-secure.c contains the interfaces that the rest of the
 * communications code calls, this file contains support routines that are
 * used by the library-specific implementations such as be-secure-openssl.c.
 *
 * Portions Copyright (c) 1996-2023, PostgreSQL Global Development Group
 * Portions Copyright (c) 1994, Regents of the University of California
 *
 * IDENTIFICATION
 *    src/backend/libpq/be-secure-common.c
 *
 *-------------------------------------------------------------------------
 */
 
#include "postgres.h"
 
#include <sys/stat.h>
#include <unistd.h>
 
#include "common/percentrepl.h"
#include "common/string.h"
#include "libpq/libpq.h"
#include "storage/fd.h"
 
/*
 * Run ssl_passphrase_command
 *
 * prompt will be substituted for %p.  is_server_start determines the loglevel
 * of error messages.
 *
 * The result will be put in buffer buf, which is of size size.  The return
 * value is the length of the actual result.
 */
int
run_ssl_passphrase_command(const char *prompt, bool is_server_start, char *buf, int size)
{
    int         loglevel = is_server_start ? ERROR : LOG;
    char       *command;
    FILE       *fh;
    int         pclose_rc;
    size_t      len = 0;
 
    Assert(prompt);
    Assert(size > 0);
    buf[0] = '\0';
 
    command = replace_percent_placeholders(ssl_passphrase_command, "ssl_passphrase_command", "p", prompt);
 
    fh = OpenPipeStream(command, "r");
    if (fh == NULL)
    {
        ereport(loglevel,
                (errcode_for_file_access(),
                 errmsg("could not execute command \"%s\": %m",
                        command)));
        goto error;
    }
 
    if (!fgets(buf, size, fh))
    {
        if (ferror(fh))
        {
            explicit_bzero(buf, size);
            ereport(loglevel,
                    (errcode_for_file_access(),
                     errmsg("could not read from command \"%s\": %m",
                            command)));
            goto error;
        }
    }
 
    pclose_rc = ClosePipeStream(fh);
    if (pclose_rc == -1)
    {
        explicit_bzero(buf, size);
        ereport(loglevel,
                (errcode_for_file_access(),
                 errmsg("could not close pipe to external command: %m")));
        goto error;
    }
    else if (pclose_rc != 0)
    {
        explicit_bzero(buf, size);
        ereport(loglevel,
                (errcode_for_file_access(),
                 errmsg("command \"%s\" failed",
                        command),
                 errdetail_internal("%s", wait_result_to_str(pclose_rc))));
        goto error;
    }
 
    /* strip trailing newline and carriage return */
    len = pg_strip_crlf(buf);
 
error:
    pfree(command);
    return len;
}
 
 
/*
 * Check permissions for SSL key files.
 */
bool
check_ssl_key_file_permissions(const char *ssl_key_file, bool isServerStart)
{
    int         loglevel = isServerStart ? FATAL : LOG;
    struct stat buf;
 
    if (stat(ssl_key_file, &buf) != 0)
    {
        ereport(loglevel,
                (errcode_for_file_access(),
                 errmsg("could not access private key file \"%s\": %m",
                        ssl_key_file)));
        return false;
    }
 
    /* Key file must be a regular file */
    if (!S_ISREG(buf.st_mode))
    {
        ereport(loglevel,
                (errcode(ERRCODE_CONFIG_FILE_ERROR),
                 errmsg("private key file \"%s\" is not a regular file",
                        ssl_key_file)));
        return false;
    }
 
    /*
     * Refuse to load key files owned by users other than us or root, and
     * require no public access to the key file.  If the file is owned by us,
     * require mode 0600 or less.  If owned by root, require 0640 or less to
     * allow read access through either our gid or a supplementary gid that
     * allows us to read system-wide certificates.
     *
     * Note that roughly similar checks are performed in
     * src/interfaces/libpq/fe-secure-openssl.c so any changes here may need
     * to be made there as well.  The environment is different though; this
     * code can assume that we're not running as root.
     *
     * Ideally we would do similar permissions checks on Windows, but it is
     * not clear how that would work since Unix-style permissions may not be
     * available.
     */
#if !defined(WIN32) && !defined(__CYGWIN__)
    if (buf.st_uid != geteuid() && buf.st_uid != 0)
    {
        ereport(loglevel,
                (errcode(ERRCODE_CONFIG_FILE_ERROR),
                 errmsg("private key file \"%s\" must be owned by the database user or root",
                        ssl_key_file)));
        return false;
    }
 
    if ((buf.st_uid == geteuid() && buf.st_mode & (S_IRWXG | S_IRWXO)) ||
        (buf.st_uid == 0 && buf.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO)))
    {
        ereport(loglevel,
                (errcode(ERRCODE_CONFIG_FILE_ERROR),
                 errmsg("private key file \"%s\" has group or world access",
                        ssl_key_file),
                 errdetail("File must have permissions u=rw (0600) or less if owned by the database user, or permissions u=rw,g=r (0640) or less if owned by root.")));
        return false;
    }
#endif
 
    return true;
}