ssl key mode 400 can not used

[tl321]

https://github.com/lib/pq/blob/master/internal/pqutil/perm.go

func checkPermissions(fi os.FileInfo) error {
// The maximum permissions that a private key file owned by a regular user
// is allowed to have. This translates to u=rw. Regardless of if we're
// running as root or not, 0600 is acceptable, so we return if we match the
// regular user permission mask.
if fi.Mode().Perm()&os.FileMode(0777)^0600 == 0 {
return nil
}

// We need to pull the Unix file information to get the file's owner.
// If we can't access it, there's some sort of operating system level error
// and we should fail rather than attempting to use faulty information.
sys, ok := fi.Sys().(*syscall.Stat_t)
if !ok {
	return ErrSSLKeyUnknownOwnership
}

// if the file is owned by root, we allow 0640 (u=rw,g=r) to match what
// Postgres does.
if sys.Uid == 0 {
	// The maximum permissions that a private key file owned by root is
	// allowed to have. This translates to u=rw,g=r.
	if fi.Mode().Perm()&os.FileMode(0777)^0640 != 0 {
		return ErrSSLKeyHasWorldPermissions
	}
	return nil
}

return ErrSSLKeyHasWorldPermissions

}

[mortebrume]

The new pq update is starting to be used in some applications and it completely breaks everything, since its hard fails.
I don't understand why mounting the certs at 440 is not sufficient for rootless.
Could you please relax this check or at least permit us to use 400 ?

Thank you !

[arp242]

I don't think anything changed here, other than warning by writing to stderr instead of silently skipping the file?

[m00nwtchr]

The checks introduced in: 6ec2ad4 strictly only check for 0600 or 0640 permissions, rather than allowing those OR LOWER permissions.

[mortebrume]

And by default, perhaps depending on the apps who are using pq as a dependency, when the checks fails the application crashes.

Example for miniflux :
14/02/2026 13:42:50 | pq: private key has world access; permissions should be u=rw,g=r (0640) if owned by root, or u=rw (0600), or less

[arp242]

The checks introduced in: 6ec2ad4 strictly only check for 0600 or 0640 permissions, rather than allowing those OR LOWER permissions.

That just moves some existing code around.

Anyway, I just assumed it was a long-standing issue, which is why I haven't looked in to it. I don't have time to look in to this now or next week. If someone had told me it was a regression before instead of dumping a vague line with some malformatted code I could have looked at it for 1.11.2.

So in short, if you want a fix you'll have to send a PR. Please be sure to add a test, too.

[m00nwtchr]

The checks introduced in: 6ec2ad4 strictly only check for 0600 or 0640 permissions, rather than allowing those OR LOWER permissions.

That just moves some existing code around.

Anyway, I just assumed it was a long-standing issue, which is why I haven't looked in to it. I don't have time to look in to this now or next week. If someone had told me it was a regression before instead of dumping a vague line with some malformatted code I could have looked at it for 1.11.2.

So in short, if you want a fix you'll have to send a PR. Please be sure to add a test, too.

userPermissionMask := (0777 ^ 0600)
if perm & userPermissionMask == 0 { return nil }

changed to:

if fi.Mode().Perm()&0777^0600 == 0 { return nil }

which is equivalent to:

if (perm & 0777) == 0600