Re: [exim] How to access pgsql client cert when running suid…

Góra strony
Delete this message
Reply to this message
Autor: Axel Rau
Data:  
Dla: Jeremy Harris
CC: Exim-users
Temat: Re: [exim] How to access pgsql client cert when running suid ?


> Am 24.05.2022 um 22:12 schrieb Jeremy Harris via Exim-users <exim-users@???>:
>
> https://www.postgresql.org/docs/9.1/libpq-ssl.html <https://www.postgresql.org/docs/9.1/libpq-ssl.html> says it'll
> send ~/.postgresql/postgresql.crt - and that is obviously
> going to be a problem for a client that is dancing around different
> user identities.
>
> https://www.postgresql.org/docs/9.5/libpq-envars.html <https://www.postgresql.org/docs/9.5/libpq-envars.html>
> lists PGSSLCERT and PGSSLKEY which look plausible as a way of
> telling it specifically where to look.
> So you just need to run with those set up in exim's environment.
> Have a look at the "add_environment" min config option.



Thanks for pointing this out,

A client cert is bound to a user (both client and db user).
Doing this as root has too many implications and is not feasible.
Its easier run exim w/o setuid root on the incoming and outgoing relays.

Axel
---
PGP-Key: CDE74120 ☀ computing @ chaos claudius