summaryrefslogtreecommitdiffstats
path: root/t/032_ssl_key_permissions.t
blob: 929f08afcbeb2f8f9d8f047b4763911c20ba748d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
use strict;
use warnings;

use lib 't';
use TestLib;
use PgCommon;
use Test::More tests => $PgCommon::rpm ? 1 : 3 + 19 * @MAJORS;

if ($PgCommon::rpm) { pass 'No ssl key checks on RedHat'; exit; }

my ($pg_uid, $pg_gid) = (getpwnam 'postgres')[2,3];
my $ssl_cert_gid = (getgrnam 'ssl-cert')[2]; # reset permissions
die "Could not determine ssl-cert gid" unless ($ssl_cert_gid);

my $snakekey = '/etc/ssl/private/ssl-cert-snakeoil.key';
is ((stat $snakekey)[4], 0, "$snakekey is owned by root");
is ((stat $snakekey)[5], $ssl_cert_gid, "$snakekey group is ssl-cert");
is ((stat $snakekey)[2], 0100640, "$snakekey mode is 0640");

foreach my $version (@MAJORS) {
    my $pkgversion = `dpkg-query -f '\${Version}' -W postgresql-$version`;
    note "$version ($pkgversion)";
    if ($version <= 9.1) {
        pass "no SSL support on $version" foreach (1..19);
        next;
    }
SKIP: {
    skip "No SSL key check on <= 9.0", 19 if ($version <= 9.0);
    program_ok (0, "pg_createcluster $version main");

    my $nobody_uid = (getpwnam 'nobody')[2];
    chown $nobody_uid, 0, $snakekey;
    like_program_out 'postgres', "pg_ctlcluster $version main start", 1,
        qr/private key file.*must be owned by the database user or root/s,
        'ssl key owned by nobody refused';

SKIP: {
    skip "SSL key group check skipped on Debian oldstable packages", 4 if ($version <= 9.4 and $pkgversion !~ /pgdg/);
    chown 0, 0, $snakekey;
    chmod 0644, $snakekey;
    like_program_out 'postgres', "pg_ctlcluster $version main start", 1,
        qr/private key file.*has group or world access/,
        'ssl key with permissions root:root 0644 refused';

    chown $pg_uid, $pg_gid, $snakekey;
    chmod 0640, $snakekey;
    like_program_out 'postgres', "pg_ctlcluster $version main start", 1,
        qr/private key file.*has group or world access/,
        'ssl key with permissions postgres:postgres 0640 refused';
}

    chown 0, $ssl_cert_gid, $snakekey;

    program_ok (0, "pg_dropcluster $version main --stop");
    is ((stat $snakekey)[4], 0, "$snakekey is owned by root");
    is ((stat $snakekey)[5], $ssl_cert_gid, "$snakekey group is ssl-cert");
    is ((stat $snakekey)[2], 0100640, "$snakekey mode is 0640");
    check_clean;
}
}