On Fri, Jan 10, 2020 at 1:21 AM Robert Haas <robertmhaas@gmail.com> wrote:
>
> On Thu, Jan 9, 2020 at 5:30 AM Christoph Berg <myon@debian.org> wrote:
> > I have some concerns about security, though. It's true that the
> > sslcert/sslkey options can only be set/modified by superusers when
> > "password_required" is set. But when password_required is not set, any
> > user and create user mappings that reference arbitrary files on the
> > server filesystem. I believe the options are still used in that case
> > for creating connections, even when that means the remote server isn't
> > set up for cert auth, which needs password_required=false to succeed.
> >
> > In short, I believe these options need explicit superuser checks.
>
> I share the concern about the security issue here. I can't testify to
> whether Christoph's whole analysis is here, but as a general point,
> non-superusers can't be allowed to do things that cause the server to
> access arbitrary local files.
It's probably fairly easy to do (c.f. 6136e94dcb). I'm not (yet)
convinced that there is any significant security threat here. This
doesn't give the user or indeed any postgres code any access to the
contents of these files. But if there is a consensus to restrict this
I'll do it.
cheers
andrew
--
Andrew Dunstan https://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services