Re: [PG19-3 PATCH] Don't ignore passfile

> It flies in the face of security concerns, and your arguments in favor
of it are pretty thin.
To me the existing check looked pretty lose and I am probably not fully
aware of the security constraints here, hence the suggested patch.

> Really? It's based on fstat which is going to check the actually-opened
file.
My bad, I was testing with group read permission, before realizing that
those aren't allowed either.

> Another idea could be to fail the connection instead of treating this as
a warning condition.
As noted in the proposal, if the check stays I'd argue that it should be an
error.
I can't imaging a case where the user is happy with specifying a passfile
and have it be ignored, but maybe somebody can think of a scenario.
Other permission checks are already errors (as in
/src/interfaces/libpq/fe-secure-openssl.c:1269)

> But I imagine that if the passfile would actually be used, the connection
would fail anyway.
I'm not sure I am following. Yes, the authentication doesn't work without
the passfile, but error cause message and error effect messages are
disconnected in the logs.

> We could certainly have a discussion about whether the scenario being
catered to there (a root-owned file that we have group access to) is
sensible for password files.
In Kubernetes, when setting "defaultMode: 0400" and
"securityContext.fsGroup: 2000" to mount a file for example you end up with
the minimal permissions on the mounted file:
-r--r----- 1 root 2000 90 Sep 1 14:42 password
This is just one example use case, I'd imaging others can think of more.
Maybe someone is running a database server and client application with
separate users on a system and symlinks the passfile or references it by
path to have a single source of truth.

> In general I'm open to carefully-thought-out improvements to this check
Converting the warning to an error and allowing group read permissions
would be a solid solution IMO.
If that turns out to be accepted, I'd be happy to update the patch but I
have no experience with the codebase, nor professional C experience.
I can give it a try, but it might be easier for everyone if someone more
familiar with the code implements the change.
Let me know how to proceed.

Kind regards
Paul Ohlhauser

PS:
> please use an email agent that provides References
Sorry I switched email addresses after my first mail and hoped it would
connect the thread.
I wont be switching addresses again any time soon