Home > mailing lists

Re: pgsql: Allow 'sslkey' and 'sslcert' in postgres_fdw user mappings - Mailing list pgsql-hackers

From	Craig Ringer
Subject	Re: pgsql: Allow 'sslkey' and 'sslcert' in postgres_fdw user mappings
Date	January 20, 2020 10:48:37
Msg-id	CAMsr+YH1+jG0+23RVzab+y9ZrE=ps3GXCqYEyY7hLDdnveLPjQ@mail.gmail.com Whole thread Raw
In response to	Re: pgsql: Allow 'sslkey' and 'sslcert' in postgres_fdw user mappings (Christoph Berg <myon@debian.org>)
Responses	Re: pgsql: Allow 'sslkey' and 'sslcert' in postgres_fdw user mappings (Andrew Dunstan <andrew.dunstan@2ndquadrant.com>)
List	pgsql-hackers

Tree view

On Thu, 9 Jan 2020 at 22:38, Christoph Berg <myon@debian.org> wrote:

Re: Robert Haas 2020-01-09 <CA+TgmoZEjyv_PD=2cinkbDA_chyLNAcBPL_9bKJQ6bc=nw+FHA@mail.gmail.com>
> Does this mean that a non-superuser can induce postgres_fdw to read an
> arbitrary file from the local filesystem?

Yes, see my comments in the "Allow 'sslkey' and 'sslcert' in
postgres_fdw user mappings" thread.

Ugh, I misread your comment.

You raise a sensible concern.

These options should be treated the same as the proposed option to allow passwordless connections: disallow creation or alteration of FDW connection strings that use them by non-superusers. So a superuser can define a user mapping that uses these options, but normal users may not.

Craig Ringer http://www.2ndQuadrant.com/
2ndQuadrant - PostgreSQL Solutions for the Enterprise

pgsql-hackers by date:

From: Masahiko Sawada
Date: 20 January 2020, 10:46:50
Subject: Re: base backup client as auxiliary backend process

From: Yugo NAGATA
Date: 20 January 2020, 10:57:58
Subject: Re: Implementing Incremental View Maintenance

Re: pgsql: Allow 'sslkey' and 'sslcert' in postgres_fdw user mappings - Mailing list pgsql-hackers

Previous

Next