Re: Allow 'sslkey' and 'sslcert' in postgres_fdw user mappings
Christoph Berg <myon@debian.org>
From: Christoph Berg <myon@debian.org>
To: Andrew Dunstan <andrew.dunstan@2ndquadrant.com>
Cc: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2020-01-09T12:48:55Z
Lists: pgsql-hackers
Re: To Andrew Dunstan 2020-01-09 <20200109103014.GA4192@msg.df7cb.de>
> I believe the options are still used in that case
> for creating connections, even when that means the remote server isn't
> set up for cert auth, which needs password_required=false to succeed.
They are indeed:
stat("/var/lib/postgresql/.postgresql/root.crt", 0x7ffcff3e2bb0) = -1 ENOENT (Datei oder Verzeichnis nicht gefunden)
stat("/foo", 0x7ffcff3e2bb0) = -1 ENOENT (Datei oder Verzeichnis nicht gefunden)
^^^^ sslcert
I'm not sure if that could be exploited in any way, but let's just
forbid it.
Christoph
Commits
-
Only superuser can set sslcert/sslkey in postgres_fdw user mappings
- cebf9d6e6ee1 13.0 landed