Il giorno lun, 21/11/2011 alle 09.08 +0100, Magnus Hagander ha scritto: > What actual error do you get?
ENOTDIR, sorry but I don't really want to break my system again just to show the strerror output ;) > Its still impossible to use it securely, but I agree we shouldn't just > error out in a situation like that - the user wanted to be insecure, > after all.. But I'm not sure just dropping the check is the correct > answer - adjusting it is probably a better idea. Whether non-user-certificate SSL is "unsecure" or not I guess is mostly up to debate — I think that for many people, including me, simply having host-based authentication should be quite secure, of course depending on the use case. The main problem there is that right now a very common Unix setup is broken, and that's definitely not what you wanted in the first place. "Adjusting" the check doesn't seem to make much sense.. you'll still fail with error in some other situation if you just whitelist ENOTDIR... simply unify the codepaths, and if stat fails ignore the presence of the certificate... what's the worst that may happen? Speaking of this, it might be a good idea to also change the code to respect the HOME environment variable: in my case the home directory could be dynamically set before starting the process, but since libpq accesses the shadow database, instead of checking HOME, I can't fix it properly that way. Thanks, -- Diego Elio Pettenò <flamee...@flameeyes.eu> -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs
