pq: No way to override - Error: pq: Private key file has group or world access. Permissions should be u=rw (0600) or less

I found while using Windows Subsystem for Linux, that when I tried using the Linux binary of cockroachdb, libpq didn’t like my certificate files because the permissions are 777.

There should be a way to override this check for people that just want to use libpq in a test environment where permissions don’t matter. I have to keep the files on the Windows partition where there are no unix based permissions so I have direct access to my files with IDEs and such.

This could also be problematic for users trying to utilize storage systems from Linux that don’t use unix-like permissions, where everything presents as 777 or some arbitrary perm value.

The cockroachdb commands had an elegant solution of reading the environment variable COCKROACH_SKIP_KEY_PERMISSION_CHECK to bypass it’s check: https://github.com/cockroachdb/cockroach/blob/master/pkg/security/certificate_loader.go#L33-L41

Maybe something like this could be a viable option for libpq?

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 17 (3 by maintainers)

Most upvoted comments

Any update on this?

+5
whyman on Feb 12, 2020

It’s open because I’ve not been keeping track of this issue. Looks like perms checking can be skipped now as mentioned, closing.

+1
protosam on Aug 23, 2023

it would be importand for container based postgres clients to have an option to ignore this error (or simply display the warning,but don’t stop working). i understand the security aspects of this error, but it prevents users from using postgres in a container based environment.

Whats users are doing in container based environments is to copy the file in a second place and give them the correct rights. this is less security because the file now exists two times and the original file has stil group readable access.

+1
grassdionera on Aug 22, 2023

There are discussions out there for which one can search. Here’s one that mentions macOS groups like “staff”.

https://www.postgresql.org/message-id/20160218133438.GC15260@msg.df7cb.de

+1
cbandy on Mar 23, 2021

This isn’t a security workaround, it’s telling PQ to knock it off with validating the SSL chain. This is normal behavior in dev environments. The encryption still happens. It’s the same ciphers as previously. It’s just making it so you can use self-signed certs for testing. Managing your own CA and installing your own root certs is literally done by no one in their right mind anywhere in lower environments.

+1
protosam on Apr 13, 2020
Read more comments on GitHub
← pq: Incorrect "idle in transaction" on Tx.Commit()
pq: No way to see an Insert error from QueryRow() →