Thread: pgsql: postgres_fdw: improve security checks
postgres_fdw: improve security checks SCRAM pass-through should not bypass the FDW security check as it was implemented for postgres_fdw in commit 761c79508e7. This commit improves the security check by adding new SCRAM pass-through checks to ensure that the required SCRAM connection options are not overwritten by the user mapping or foreign server options. This is meant to match the security requirements for a password-using connection. Since libpq has no SCRAM-specific equivalent of PQconnectionUsedPassword(), we enforce this instead by making the use_scram_passthrough option of postgres_fdw imply require_auth=scram-sha-256. This means that if use_scram_passthrough is set, some situations that might otherwise have worked are preempted, for example GSSAPI with delegated credentials. This could be enhanced in the future if there is desire for more flexibility. Reported-by: Jacob Champion <jacob.champion@enterprisedb.com> Author: Matheus Alcantara <mths.dev@pm.me> Co-authored-by: Jacob Champion <jacob.champion@enterprisedb.com> Reviewed-by: Jacob Champion <jacob.champion@enterprisedb.com> Discussion: https://www.postgresql.org/message-id/flat/CAFY6G8ercA1KES%3DE_0__R9QCTR805TTyYr1No8qF8ZxmMg8z2Q%40mail.gmail.com Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/76563f88cfbd91696e7ebe568dead648f2d229ff Modified Files -------------- contrib/postgres_fdw/connection.c | 102 ++++++++++++++++++++++++++----- contrib/postgres_fdw/t/001_auth_scram.pl | 41 +++++++++++++ doc/src/sgml/postgres-fdw.sgml | 11 +--- 3 files changed, 132 insertions(+), 22 deletions(-)
Peter Eisentraut <peter@eisentraut.org> writes:
> postgres_fdw: improve security checks
This patch is failing on "drongo" [1]. It looks like the problem
is that the pg_hba.conf file being used doesn't allow for TCP
loopback connections.
To make that safe, the test would have to be changed to not run by
default. We could gate it with a PG_TEST_EXTRA check ... but the
end result would likely be that it gets run by just about nobody.
I wonder whether it's worth the trouble.
regards, tom lane
[1] https://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=drongo&dt=2025-03-25%2002%3A11%3A12
On 26.03.25 01:59, Tom Lane wrote: > Peter Eisentraut <peter@eisentraut.org> writes: >> postgres_fdw: improve security checks > > This patch is failing on "drongo" [1]. It looks like the problem > is that the pg_hba.conf file being used doesn't allow for TCP > loopback connections. > > To make that safe, the test would have to be changed to not run by > default. We could gate it with a PG_TEST_EXTRA check ... but the > end result would likely be that it gets run by just about nobody. > I wonder whether it's worth the trouble. This has been fixed.