Re: [PG19-3 PATCH] Don't ignore passfile

postgresql(dot)cache976(at)passmail(dot)net writes:
> The small patch (against postgres:master for PG19-3) changes postgres to permit "passfile"s with open permissions.

I think the odds that we'd accept this change are not distinguishable
from zero. It flies in the face of security concerns, and your
arguments in favor of it are pretty thin.

I will concede your point that the error message isn't really clear
that we're ignoring the passfile, but that could be addressed
simply by rephrasing the message, perhaps like

"WARNING: password file \"%s\" was ignored because it allows group or world access; permissions must be u=rw (0600) or less\n"

Another idea could be to fail the connection instead of treating this
as a warning condition. But I imagine that if the passfile would
actually be used, the connection would fail anyway.

> - The check does not follow symlinks to check the actual file permissions.

Really? It's based on fstat which is going to check the
actually-opened file.

> - The check is inconsistent with the private key file check at /src/backend/libpq/be-secure-common.c:171 which permits group read access.

We could certainly have a discussion about whether the scenario being
catered to there (a root-owned file that we have group access to)
is sensible for password files. I kind of doubt it but maybe I'm
missing something. Note that fe-secure-openssl.c would be a better
reference point for code that is executing on the client side.

In general I'm open to carefully-thought-out improvements to this
check. But "we don't need to enforce this at all" isn't going to
happen.

regards, tom lane

PS: please use an email agent that provides References: headers in
replies, else this conversation will be impossible to follow in our
mail archives (or many people's mail readers). I see that your
response to Umar is already a disconnected thread.