[agroal#132] Slightly reduce TLS file security checks

* Allow files to additionally be owned by root * Allow group read permissions on private key file
will · Jan 29, 2021 · cafe3af · cafe3af
1 parent 32ab204
commit cafe3af
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 11 deletions.
diff --git a/doc/CONFIGURATION.md b/doc/CONFIGURATION.md
@@ -45,9 +45,9 @@ See a [sample](./etc/pgagroal/pgagroal.conf) configuration for running `pgagroal
 | failover | `off` | Bool | No | Enable failover support |
 | failover_script | | String | No | The failover script to execute |
 | tls | `off` | Bool | No | Enable Transport Layer Security (TLS) |
-| tls_cert_file | | String | No | Certificate file for TLS |
-| tls_key_file | | String | No | Private key file for TLS |
-| tls_ca_file | | String | No | Certificate Authority (CA) file for TLS |
+| tls_cert_file | | String | No | Certificate file for TLS. This file must be owned by either the user running pgagroal or root. |
+| tls_key_file | | String | No | Private key file for TLS. This file must be owned by either the user running pgagroal or root. Additionally permissions must be `0600` or `06400`. |
+| tls_ca_file | | String | No | Certificate Authority (CA) file for TLS. This file must be owned by either the user running pgagroal or root.  |
 | libev | `auto` | String | No | Select the [libev](http://software.schmorp.de/pkg/libev.html) backend to use. Valid options: `auto`, `select`, `poll`, `epoll`, `iouring`, `devpoll` and `port` |
 | buffer_size | 65535 | Int | No | The network buffer size (`SO_RCVBUF` and `SO_SNDBUF`) |
 | keep_alive | on | Bool | No | Have `SO_KEEPALIVE` on sockets |

diff --git a/src/libpgagroal/security.c b/src/libpgagroal/security.c
@@ -3184,9 +3184,9 @@ pgagroal_tls_valid(void)
          goto error;
       }
 
-      if (st.st_uid != geteuid())
+      if (st.st_uid && st.st_uid != geteuid())
       {
-         pgagroal_log_error("TLS certificate file not owned by user: %s", config->tls_cert_file);
+         pgagroal_log_error("TLS certificate file not owned by user or root: %s", config->tls_cert_file);
          goto error;
       }
 
@@ -3204,15 +3204,15 @@ pgagroal_tls_valid(void)
          goto error;
       }
 
-      if (st.st_uid != geteuid())
+      if (st.st_uid && st.st_uid != geteuid())
       {
-         pgagroal_log_error("TLS private key file not owned by user: %s", config->tls_key_file);
+         pgagroal_log_error("TLS private key file not owned by user or root: %s", config->tls_key_file);
          goto error;
       }
 
-      if (st.st_mode & (S_IRWXG | S_IRWXO))
+      if (st.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO))
       {
-         pgagroal_log_error("TLS private key file must have 0600 permissions: %s", config->tls_key_file);
+         pgagroal_log_error("TLS private key file must have at least 0640 permissions: %s", config->tls_key_file);
          goto error;
       }
 
@@ -3232,9 +3232,9 @@ pgagroal_tls_valid(void)
             goto error;
          }
 
-         if (st.st_uid != geteuid())
+         if (st.st_uid && st.st_uid != geteuid())
          {
-            pgagroal_log_error("TLS CA file not owned by user: %s", config->tls_ca_file);
+            pgagroal_log_error("TLS CA file not owned by user or root: %s", config->tls_ca_file);
             goto error;
          }
       }