Re: Allow 'sslkey' and 'sslcert' in postgres_fdw user mappings
Robert Haas <robertmhaas@gmail.com>
From: Robert Haas <robertmhaas@gmail.com>
To: Christoph Berg <myon@debian.org>
Cc: Andrew Dunstan <andrew.dunstan@2ndquadrant.com>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2020-01-09T14:51:32Z
Lists: pgsql-hackers
On Thu, Jan 9, 2020 at 5:30 AM Christoph Berg <myon@debian.org> wrote: > I have some concerns about security, though. It's true that the > sslcert/sslkey options can only be set/modified by superusers when > "password_required" is set. But when password_required is not set, any > user and create user mappings that reference arbitrary files on the > server filesystem. I believe the options are still used in that case > for creating connections, even when that means the remote server isn't > set up for cert auth, which needs password_required=false to succeed. > > In short, I believe these options need explicit superuser checks. I share the concern about the security issue here. I can't testify to whether Christoph's whole analysis is here, but as a general point, non-superusers can't be allowed to do things that cause the server to access arbitrary local files. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Commits
-
Only superuser can set sslcert/sslkey in postgres_fdw user mappings
- cebf9d6e6ee1 13.0 landed