Message-ID: From: "harinath001 (@harinath001)" To: "pgjdbc/pgjdbc" Date: Wed, 04 Mar 2026 20:35:22 +0000 Subject: [pgjdbc/pgjdbc] PR #3952: ssl: align key file permission check with libpq List-Id: X-GitHub-Author-Id: 9057411 X-GitHub-Author-Login: harinath001 X-GitHub-Issue: 3952 X-GitHub-Repo: pgjdbc/pgjdbc X-GitHub-State: merged X-GitHub-Type: pull_request X-GitHub-Url: https://github.com/pgjdbc/pgjdbc/pull/3952 Content-Type: text/plain; charset=utf-8 ### Context pgjdbc currently refuses to connect if a private key file has any group or other permissions — it strictly requires `0600`. That's a safe default, but it's stricter than what libpq (the reference PostgreSQL C client) actually enforces. libpq makes a practical distinction: if the key file is owned by root, it allows group-read (`0640`). This matters in real deployments where a system administrator owns the certificates and grants read access to a service account via group membership. With pgjdbc's current behavior, those setups break — even though `psql` and every other libpq-based client works just fine with them. For non-root-owned files, libpq is strict: no group or other access. pgjdbc agrees on that part. The gap is only for root-owned files, and that's what this PR closes. The relevant check in libpq's `fe-secure-openssl.c` is: ```c if (buf.st_uid == 0 ? buf.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO) : buf.st_mode & (S_IRWXG | S_IRWXO)) ``` ### Changes to Existing Features: - The only behavioral change is that root-owned key files with `GROUP_READ` (`0640`) are now accepted instead of rejected, matching libpq. All other permission checks remain unchanged. ### All Submissions: * [x] Have you followed the guidelines in our [Contributing](https://github.com/pgjdbc/pgjdbc/blob/master/CONTRIBUTING.md) document? * [x] Have you checked to ensure there aren't other open [Pull Requests](../../pulls) for the same update/change? ### New Feature Submissions: 1. [x] Does your submission pass tests? 2. [x] Does `./gradlew styleCheck` pass ? 3. [x] Have you added your new test classes to an existing test suite in alphabetical order?