pgjdbc/pgjdbc GitHub issues and pull requests (mirror)
help / color / mirror / Atom feed[pgjdbc/pgjdbc] PR #3952: ssl: align key file permission check with libpq
4+ messages / 3 participants
[nested] [flat]
* [pgjdbc/pgjdbc] PR #3952: ssl: align key file permission check with libpq
@ 2026-03-04 20:35 "harinath001 (@harinath001)" <[email protected]>
0 siblings, 0 replies; 4+ messages in thread
From: harinath001 (@harinath001) @ 2026-03-04 20:35 UTC (permalink / raw)
To: pgjdbc/pgjdbc <[email protected]>
### Context
pgjdbc currently refuses to connect if a private key file has any group or other permissions —
it strictly requires `0600`. That's a safe default, but it's stricter than what libpq (the
reference PostgreSQL C client) actually enforces.
libpq makes a practical distinction: if the key file is owned by root, it allows group-read
(`0640`). This matters in real deployments where a system administrator owns the certificates
and grants read access to a service account via group membership. With pgjdbc's current behavior,
those setups break — even though `psql` and every other libpq-based client works just fine with
them.
For non-root-owned files, libpq is strict: no group or other access. pgjdbc agrees on that part.
The gap is only for root-owned files, and that's what this PR closes.
The relevant check in libpq's `fe-secure-openssl.c` is:
```c
if (buf.st_uid == 0 ?
buf.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO) :
buf.st_mode & (S_IRWXG | S_IRWXO))
```
### Changes to Existing Features:
- The only behavioral change is that root-owned key files with `GROUP_READ` (`0640`) are now
accepted instead of rejected, matching libpq. All other permission checks remain unchanged.
### All Submissions:
* [x] Have you followed the guidelines in our [Contributing](https://github.com/pgjdbc/pgjdbc/blob/master/CONTRIBUTING.md) document?
* [x] Have you checked to ensure there aren't other open [Pull Requests](../../pulls) for the same update/change?
### New Feature Submissions:
1. [x] Does your submission pass tests?
2. [x] Does `./gradlew styleCheck` pass ?
3. [x] Have you added your new test classes to an existing test suite in alphabetical order?
^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: [pgjdbc/pgjdbc] PR #3952: ssl: align key file permission check with libpq
@ 2026-03-05 11:44 "davecramer (@davecramer)" <[email protected]>
2 siblings, 0 replies; 4+ messages in thread
From: davecramer (@davecramer) @ 2026-03-05 11:44 UTC (permalink / raw)
To: pgjdbc/pgjdbc <[email protected]>
I don't see any issues with this. Will merge if no objections
^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: [pgjdbc/pgjdbc] PR #3952: ssl: align key file permission check with libpq
@ 2026-03-09 18:53 "harinath001 (@harinath001)" <[email protected]>
2 siblings, 0 replies; 4+ messages in thread
From: harinath001 (@harinath001) @ 2026-03-09 18:53 UTC (permalink / raw)
To: pgjdbc/pgjdbc <[email protected]>
@davecramer yeah, this change will be very helpful in many environments !! Waiting for the merge and release , thank you !!
^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: [pgjdbc/pgjdbc] PR #3952: ssl: align key file permission check with libpq
@ 2026-05-19 08:15 "tonirevert (@tonirevert)" <[email protected]>
2 siblings, 0 replies; 4+ messages in thread
From: tonirevert (@tonirevert) @ 2026-05-19 08:15 UTC (permalink / raw)
To: pgjdbc/pgjdbc <[email protected]>
After this change, the certificates that we use in our company started to fail on DBeaver because of the permission checks...
^ permalink raw reply [nested|flat] 4+ messages in thread
end of thread, other threads:[~2026-05-19 08:15 UTC | newest]
Thread overview: 4+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2026-03-04 20:35 [pgjdbc/pgjdbc] PR #3952: ssl: align key file permission check with libpq "harinath001 (@harinath001)" <[email protected]>
2026-03-05 11:44 ` "davecramer (@davecramer)" <[email protected]>
2026-03-09 18:53 ` "harinath001 (@harinath001)" <[email protected]>
2026-05-19 08:15 ` "tonirevert (@tonirevert)" <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox