| From: | Noah Yetter <nyetter(at)gmail(dot)com> |
|---|---|
| To: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | GRANT USAGE on FOREIGN SERVER exposes passwords |
| Date: | 2015-02-03 23:26:01 |
| Message-ID: | CAPuoA+k+aq68kF4y5k6=OWMx0wqq5+ZoO3i7uTmC1oV8Thkr_w@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
When a user is granted USAGE on a foreign server, the psql command \deu+
will show them the username and password bound to the applicable user
mapping.
To demonstrate (9.3+):
(as a superuser)
# create extension postgres_fdw ;
# create foreign server loopback_server
foreign data wrapper postgres_fdw
options(host '127.0.0.1', port '5432') ;
# create user mapping for public
server loopback_server
options(username 'foo', password 'bar') ;
(as a normal user)
> \deu+
List of user mappings
Server | User name | FDW Options
-----------------------+-----------+----------------
loopback_server | public |
(1 row)
So far so good?
> select * from dblink('loopback_server', 'select current_date') as
x(column1 date) ;
ERROR: permission denied for foreign server loopback_server
OK, I can't do that now. Let's fix it:
# grant usage on foreign server loopback_server to public ;
> select * from dblink('loopback_server', 'select current_date') as
x(column1 date) ;
column1
------------
2015-02-03
(1 row)
Sweet! But...
> \deu+
List of user mappings
Server | User name | FDW Options
-----------------------+-----------+--------------------------------
loopback_server | public | ("user" 'foo', password 'bar')
(1 row)
Crap.
(FWIW, it doesn't matter whether you grant to PUBLIC or to a specific user,
the result is the same.)
The obvious objection is, "well you should just use foreign tables instead
of dblink()". I'll cut a long story short by saying that doesn't work for
us. We are using postgres_fdw to allow our analysts to run queries against
AWS Redshift and blend those results with tables in our OLTP schema. If
you know anything about Redshift, or about analysts, you'll realize
immediately why foreign tables are not a viable solution. Surely there are
many others in a similar position, where the flexibility offered by
dblink() makes it preferable to fixed foreign tables.
Soooo... what gives? This seems like a really obvious security hole. I've
searched the mailing list archives repeatedly and found zero discussion of
this issue.
--
Noah Yetter
Data Architect/DBA @ Craftsy
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2015-02-04 00:23:23 | Re: pgsql: Add API functions to libpq to interrogate SSL related stuff. |
| Previous Message | Andres Freund | 2015-02-03 23:10:22 | Re: Re: [COMMITTERS] pgsql: Process 'die' interrupts while reading/writing from the client s |