git.postgresql.org Git - postgresql.git/commitdiff

git projects / postgresql.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e58791c)
Doc: update libpq.sgml for root-owned SSL private keys.
author Tom Lane <tgl@sss.pgh.pa.us>
Wed, 2 Mar 2022 16:29:11 +0000 (11:29 -0500)
committer Tom Lane <tgl@sss.pgh.pa.us>
Wed, 2 Mar 2022 16:29:11 +0000 (11:29 -0500)
My oversight in a59c79564.

Discussion: https://postgr.es/m/f4b7bc55-97ac-9e69-7398-335e212f7743@pgmasters.net

doc/src/sgml/libpq.sgml patch | blob | blame | history

diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 64e17401cdf1235ac14fd4c246d74ae6e4c6c896..3998b1781b9f3fe99f980fd7bcd3919c08b53f6b 100644 (file)
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -8397,23 +8397,35 @@ ldap://ldap.acme.com/cn=dbserver,cn=hosts?pgconnectinfo?base?(objectclass=*)
<para>
If the server attempts to verify the identity of the
client by requesting the client's leaf certificate,
- <application>libpq</application> will send the certificates stored in
+ <application>libpq</application> will send the certificate(s) stored in
file <filename>~/.postgresql/postgresql.crt</filename> in the user's home
directory. The certificates must chain to the root certificate trusted
by the server. A matching
private key file <filename>~/.postgresql/postgresql.key</filename> must also
- be present. The private
- key file must not allow any access to world or group; achieve this by the
- command <command>chmod 0600 ~/.postgresql/postgresql.key</command>.
+ be present.
On Microsoft Windows these files are named
<filename>%APPDATA%\postgresql\postgresql.crt</filename> and
- <filename>%APPDATA%\postgresql\postgresql.key</filename>, and there
- is no special permissions check since the directory is presumed secure.
+ <filename>%APPDATA%\postgresql\postgresql.key</filename>.
The location of the certificate and key files can be overridden by the
- connection parameters <literal>sslcert</literal> and <literal>sslkey</literal> or the
+ connection parameters <literal>sslcert</literal>
+ and <literal>sslkey</literal>, or by the
environment variables <envar>PGSSLCERT</envar> and <envar>PGSSLKEY</envar>.
</para>
+ <para>
+ On Unix systems, the permissions on the private key file must disallow
+ any access to world or group; achieve this by a command such as
+ <command>chmod 0600 ~/.postgresql/postgresql.key</command>.
+ Alternatively, the file can be owned by root and have group read access
+ (that is, <literal>0640</literal> permissions). That setup is intended
+ for installations where certificate and key files are managed by the
+ operating system. The user of <application>libpq</application> should
+ then be made a member of the group that has access to those certificate
+ and key files. (On Microsoft Windows, there is no file permissions
+ check, since the <filename>%APPDATA%\postgresql</filename> directory is
+ presumed secure.)
+ </para>
+
<para>
The first certificate in <filename>postgresql.crt</filename> must be the
client's certificate because it must match the client's private key.
This is the main PostgreSQL git repository.
RSS Atom

AltStyle によって変換されたページ (->オリジナル) /