Re: Allow 'sslkey' and 'sslcert' in postgres_fdw user mappings

Christoph Berg <myon@debian.org>

From: Christoph Berg <myon@debian.org>
To: Andrew Dunstan <andrew.dunstan@2ndquadrant.com>
Cc: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2020-01-09T10:30:14Z
Lists: pgsql-hackers
Re: Andrew Dunstan 2019-11-01 <f941b95e-27ad-cb5c-2495-13c44f90b1bc@2ndQuadrant.com>
>  		{"password_required", UserMappingRelationId, false},
> +		/*
> +		 * Extra room for the user mapping copies of sslcert and sslkey. These
> +		 * are really libpq options but we repeat them here to allow them to
> +		 * appear in both foreign server context (when we generate libpq
> +		 * options) and user mapping context (from here). Bit of a hack
> +		 * putting this in "non_libpq_options".
> +		 */
> +		{"sslcert", UserMappingRelationId, true},
> +		{"sslkey", UserMappingRelationId, true},

Nice feature, we were actually looking for exactly this yesterday.

I have some concerns about security, though. It's true that the
sslcert/sslkey options can only be set/modified by superusers when
"password_required" is set. But when password_required is not set, any
user and create user mappings that reference arbitrary files on the
server filesystem. I believe the options are still used in that case
for creating connections, even when that means the remote server isn't
set up for cert auth, which needs password_required=false to succeed.

In short, I believe these options need explicit superuser checks.

Christoph



Commits

  1. Only superuser can set sslcert/sslkey in postgres_fdw user mappings