| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | Christoph Berg <myon(at)debian(dot)org> |
| Cc: | Andrew Dunstan <andrew(dot)dunstan(at)2ndquadrant(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Allow 'sslkey' and 'sslcert' in postgres_fdw user mappings |
| Date: | 2020-01-09 14:51:32 |
| Message-ID: | CA+Tgmob9kmZt7RU+hd5AXWSphO1F9tFa2RNOiBiXSh-5VqP+-w@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Thu, Jan 9, 2020 at 5:30 AM Christoph Berg <myon(at)debian(dot)org> wrote:
> I have some concerns about security, though. It's true that the
> sslcert/sslkey options can only be set/modified by superusers when
> "password_required" is set. But when password_required is not set, any
> user and create user mappings that reference arbitrary files on the
> server filesystem. I believe the options are still used in that case
> for creating connections, even when that means the remote server isn't
> set up for cert auth, which needs password_required=false to succeed.
>
> In short, I believe these options need explicit superuser checks.
I share the concern about the security issue here. I can't testify to
whether Christoph's whole analysis is here, but as a general point,
non-superusers can't be allowed to do things that cause the server to
access arbitrary local files.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Christoph Berg | 2020-01-09 14:59:00 | Re: pgsql: Add basic TAP tests for psql's tab-completion logic. |
| Previous Message | Robert Haas | 2020-01-09 14:45:20 | Re: pgsql: Add basic TAP tests for psql's tab-completion logic. |