Re: Non-superuser subscription owners - Mailing list pgsql-hackers

From Andres Freund
Subject Re: Non-superuser subscription owners
Date
Msg-id 20230123182639.x3s7e2x55f2n6qrc@awork3.anarazel.de
Whole thread Raw
In response to Re: Non-superuser subscription owners  (Robert Haas <robertmhaas@gmail.com>)
Responses Re: Non-superuser subscription owners
List pgsql-hackers
Hi,

On 2023-01-23 11:34:32 -0500, Robert Haas wrote:
> I will admit that this is not an open-and-shut case, because a
> passwordless login back to the bootstrap superuser account from the
> local machine is a pretty common scenario and doesn't feel
> intrinsically unreasonable to me, and I hadn't thought about that as a
> potential attack vector.

I think it's 90% of the problem... There's IMO no particularly good
alternative to a passwordless login for the bootstrap superuser, and it's the
account you least want to expose...


> > > I still think you're talking about a different problem here. I'm
> > > talking about the problem of knowing whether local files are going to
> > > be accessed by the connection string.
> >
> > Why is this only about local files, rather than e.g. also using the local
> > user?
> 
> Because there's nothing you can do about the local-user case.
> 
> If I'm asked to attempt to connect to a PostgreSQL server, and I
> choose to do that, and the connection succeeds, all I know is that the
> connection actually succeeded.

Well, there is PQconnectionUsedPassword()... Not that it's a great answer.

Greetings,

Andres Freund



pgsql-hackers by date:

Previous
From: Robert Haas
Date:
Subject: Re: Fix incorrect comment reference
Next
From: Jacob Champion
Date:
Subject: Re: Non-superuser subscription owners