Ubuntu
postgresql-common package

Bug #21508
Comment #2

Comment 2 for bug 21508

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2005-09-12:

Message-Id: <email address hidden>
Date: Mon, 12 Sep 2005 22:46:14 +0200
From: Timo =?iso-8859-1?q?Weing=E4rtner?= <email address hidden>
To: "Debian Bug Tracking System" <email address hidden>
Subject: postgresql-common: Fails after upgrade because of too strict checking of permissions on SSL
key file

--nextPart2383273.Tpv9PSYIfr
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Package: postgresql-common
Version: 25
Severity: grave
Justification: causes non-serious data loss

After upgrade from version 23 postgres-8.0 fails to start with:

=2D--8<---8<---
=46ATAL: unsichere Berechtigungen f=FCr private Schl=FCsseldatei =BB/var/l=
ib/postgresql/8.0/main/server.key=AB
DETAIL: Die Datei muss dem Datenbankbenutzer geh=F6ren und keine Berechtig=
ungen f=FCr =BBGruppe=AB oder =BBAndere=AB haben.
=2D--8<---8<---

I don't want to try it with other locale settings because I don't want
to loose more accounting data.
It sais "isecure permissions" and wants the file to be owned by the
database user an have maximum permissions of 0700.

My permissions are:

=2D--8<---8<---
# file: etc/ssl/private/server.tiwe.homelinux.org_key.pem
# owner: root
# group: root
user::r--
user:postgres:r--
user:Debian-exim:r--
group::---
mask::r--
other::---
=2D--8<---8<---

(The key file is made immutable to keep cupsys from changing
permissions)

If postgres thinks the file is insecure it could issue a warning, but
refusing to start is NOT OK.

=46inally I AM THE ADMIN and I know what I'm doing. I don't need any
program pretending to be more clever than me.

There was no warning to check permissions before upgrading, so I lost
accounting data (not serious, it costs me no money).

Timo Weing=E4rtner

=2D- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (900, 'testing'), (800, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12.2-swsusp2
Locale: LANG=3Dde_DE@euro, LC_CTYPE=3Dde_DE@euro (charmap=3DISO-8859-15)

Versions of packages postgresql-common depends on:
ii adduser 3.67 Add and remove users and groups

Versions of packages postgresql-common recommends:
ii openssl 0.9.7e-3 Secure Socket Layer (SSL) bina=
ry a

=2D- no debconf information

--nextPart2383273.Tpv9PSYIfr
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iQEcBAABAgAGBQJDJekdAAoJEEn74FOC+06t0aYH/RXG5NixPnZuRjsXWLDPIObS
udBROTgFr87009g1oV4SW9MWYX/Xi2bhhruUBDdheRgvq4jbxfSVptp7pgQjA2Bb
m55qG9roneV5C6nDcPCz93SJJftikOSptkxXcK7LWl2i55KWauFlwpjAdOzjTVHQ
CRzdq2JUmQ1lH5iBd0N3ULXdG16jMjhZs661RI2b3ZvOU3GVJ1HlGEw1BsLjl8+e
SrB+rmf/tH57OTAkvx2EtxlORFIYXXQcpeIi6Uy5/5Wd9S8Dd3wyte8SJO3WO/vf
QHwDEKv6xQhsxB4FENsUi4O78Pb03vxpjpAzEaukpsXf+LhzMCeoiAqJquet5IE=
=fOEE
-----END PGP SIGNATURE-----

--nextPart2383273.Tpv9PSYIfr--

Message-Id: <200509122246.21732.timo@tiwe.de>
Date: Mon, 12 Sep 2005 22:46:14 +0200
From: Timo =?iso-8859-1?q?Weing=E4rtner?= <timo@tiwe.de>
To: "Debian Bug Tracking System" <submit@bugs.debian.org>
Subject: postgresql-common: Fails after upgrade because of too strict checking of permissions on SSL
	key file

--nextPart2383273.Tpv9PSYIfr
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Package: postgresql-common
Version: 25
Severity: grave
Justification: causes non-serious data loss

After upgrade from version 23 postgres-8.0 fails to start with:

=2D--8<---8<---
=46ATAL:  unsichere Berechtigungen f=FCr private Schl=FCsseldatei =BB/var/l=
ib/postgresql/8.0/main/server.key=AB
DETAIL:  Die Datei muss dem Datenbankbenutzer geh=F6ren und keine Berechtig=
ungen f=FCr =BBGruppe=AB oder =BBAndere=AB haben.
=2D--8<---8<---

My permissions are:

=2D--8<---8<---
# file: etc/ssl/private/server.tiwe.homelinux.org_key.pem
# owner: root
# group: root
user::r--
user:postgres:r--
user:Debian-exim:r--
group::---
mask::r--
other::---
=2D--8<---8<---

(The key file is made immutable to keep cupsys from changing
permissions)

If postgres thinks the file is insecure it could issue a warning, but
refusing to start is NOT OK.

=46inally I AM THE ADMIN and I know what I'm doing. I don't need any
program pretending to be more clever than me.

There was no warning to check permissions before upgrading, so I lost
accounting data (not serious, it costs me no money).

Timo Weing=E4rtner

=2D- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (900, 'testing'), (800, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12.2-swsusp2
Locale: LANG=3Dde_DE@euro, LC_CTYPE=3Dde_DE@euro (charmap=3DISO-8859-15)

Versions of packages postgresql-common depends on:
ii  adduser                       3.67       Add and remove users and groups

Versions of packages postgresql-common recommends:
ii  openssl                       0.9.7e-3   Secure Socket Layer (SSL) bina=
ry a

=2D- no debconf information

--nextPart2383273.Tpv9PSYIfr
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iQEcBAABAgAGBQJDJekdAAoJEEn74FOC+06t0aYH/RXG5NixPnZuRjsXWLDPIObS
udBROTgFr87009g1oV4SW9MWYX/Xi2bhhruUBDdheRgvq4jbxfSVptp7pgQjA2Bb
m55qG9roneV5C6nDcPCz93SJJftikOSptkxXcK7LWl2i55KWauFlwpjAdOzjTVHQ
CRzdq2JUmQ1lH5iBd0N3ULXdG16jMjhZs661RI2b3ZvOU3GVJ1HlGEw1BsLjl8+e
SrB+rmf/tH57OTAkvx2EtxlORFIYXXQcpeIi6Uy5/5Wd9S8Dd3wyte8SJO3WO/vf
QHwDEKv6xQhsxB4FENsUi4O78Pb03vxpjpAzEaukpsXf+LhzMCeoiAqJquet5IE=
=fOEE
-----END PGP SIGNATURE-----

--nextPart2383273.Tpv9PSYIfr--

Ubuntupostgresql-common package

Comment 2 for bug 21508

Ubuntu
postgresql-common package