On Thu, 9 Jan 2020 at 22:38, Christoph Berg <m...@debian.org> wrote: > Re: Robert Haas 2020-01-09 <CA+TgmoZEjyv_PD=2cinkbDA_chyLNAcBPL_9bKJQ6bc= > nw+...@mail.gmail.com> > > Does this mean that a non-superuser can induce postgres_fdw to read an > > arbitrary file from the local filesystem? > > Yes, see my comments in the "Allow 'sslkey' and 'sslcert' in > postgres_fdw user mappings" thread.
Ugh, I misread your comment. You raise a sensible concern. These options should be treated the same as the proposed option to allow passwordless connections: disallow creation or alteration of FDW connection strings that use them by non-superusers. So a superuser can define a user mapping that uses these options, but normal users may not. -- Craig Ringer http://www.2ndQuadrant.com/ 2ndQuadrant - PostgreSQL Solutions for the Enterprise