5

I'm trying to create a certificate to PostgreSQL.

On this link the last step is use the command:

chmod og-rwx server.key

But I have Windows 10. What could be the equivalent of that command?

Dan Cruz
  • 107
  • 4
  • 10

2 Answers2

2

This may work, icacls server.key /grant Everyone:F

Explanation: So, what chmod does is change a file(s) permissions. The root, or whoever has the ability to chmod, can allow or remove permissions such as reading a file, writing to a file, or executing a file. So the statement, chmod og-rwx server.key means o allow users who are not owners of this file, AND g, users who are part of this files' group to rwx (or read, write, and execute). Now, tell chmod what file we are doing this to? server.key.

The question then becomes, how do we replicate this command and options in windows 10? according to microsoft's technet page: icacls is the command to use. Next, mirror the options described by chmod..so we grant everyone full access.

Hope this helps (and more importantly works!)

  • This answer obviously has good interntions, but is actually the exact opposite of the linux command `chmod og-rwx server.key`. The command in this answer gives `Full control` to `Everyone` (which can have security implications), whereas the linux command recommended in PostgreSQL documentation denies all access to everyone, but the owner of the file. – quasoft Jul 22 '18 at 09:23
1

Correct answer:

The most close equivalent of chmod og-rwx server.key in Windows 10 is:

icacls server.key /reset
icacls server.key /inheritance:r /grant:r "CREATOR OWNER:F"

Note that the icacls command is also available in Windows Server 2003 SP2, Windows Vista and newer, but is not available in Windows XP.

The Linux command:

The chmod og-rwx server.key command mentioned in PostgreSQL documentation is using the symbolic mode of chmod:

According to the main page of chmod the format of symbolic mode is [ugoa...][[-+=][perms...]...].

In the command above letters og mean "Change access of all other users and groups except for the owner of the file".

The minus sign (-) after og is an operator and means "Remove the specified rights from the file".

So chmod og-rwx server.key effectively removes read, write and execute permissions (rwx) to the server.key file for all users except for the owner.

The Windows command:

The Windows command icacls server.key /reset removes explicitly set permissions on the file leaving only inherited permissions.

The command icacls server.key /inheritance:r /grant:r "CREATOR OWNER:F" gives full control only to the owner of the file and removes inherited permissions for all users/groups.

It accomplishes that with the:

  • /inheritance:r option, which removes all permissions inherited from parent directories;
  • /grant:r "CREATOR OWNER:F" option, which replaces explicit permissions for the owner with Full control (F stands for Full control).

Better explanations for these options can be found in the help of the icacls command:

PS> icacls /?
...
ICACLS name /reset [/T] [/C] [/L] [/Q]
    replaces ACLs with default inherited ACLs for all matching files.
...
/grant[:r] Sid:perm grants the specified user access rights. With :r,
    the permissions replace any previously granted explicit permissions.
    Without :r, the permissions are added to any previously granted
    explicit permissions.
...
/inheritance:e|d|r
    e - enables inheritance
    d - disables inheritance and copy the ACEs
    r - remove all inherited ACEs
...

Hint

Just for completeness you could achieve the same thing with the Windows GUI.

Proper permissions for a server.key file in Windows would look like that:

Proper permissions for a <code>server.key</code> file in Windows

Before using this command, make sure that the owner of the file is set to the service account that is running the PostgreSQL server or the service won't be able to read the file.

quasoft
  • 5,291
  • 1
  • 33
  • 37