subject:"pgsql\: Allow 'sslkey' and 'sslcert' in postgres

Re: pgsql: Allow 'sslkey' and 'sslcert' in postgres_fdw user mappings

2020-01-20 Thread Andrew Dunstan



On 1/20/20 2:48 AM, Craig Ringer wrote:
> On Thu, 9 Jan 2020 at 22:38, Christoph Berg  > wrote:
>
> Re: Robert Haas 2020-01-09
>  >
> > Does this mean that a non-superuser can induce postgres_fdw to
> read an
> > arbitrary file from the local filesystem?
>
> Yes, see my comments in the "Allow 'sslkey' and 'sslcert' in
> postgres_fdw user mappings" thread.
>
>
> Ugh, I misread your comment.
>
> You raise a sensible concern.
>
> These options should be treated the same as the proposed option to
> allow passwordless connections: disallow creation or alteration of FDW
> connection strings that use them by non-superusers. So a superuser can
> define a user mapping that uses these options, but normal users may not.
>
>


Already done.


cheers


andrew


-- 
Andrew Dunstanhttps://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

Re: pgsql: Allow 'sslkey' and 'sslcert' in postgres_fdw user mappings

2020-01-19 Thread Craig Ringer

On Thu, 9 Jan 2020 at 22:38, Christoph Berg  wrote:

> Re: Robert Haas 2020-01-09  nw+...@mail.gmail.com>
> > Does this mean that a non-superuser can induce postgres_fdw to read an
> > arbitrary file from the local filesystem?
>
> Yes, see my comments in the "Allow 'sslkey' and 'sslcert' in
> postgres_fdw user mappings" thread.

Ugh, I misread your comment.

You raise a sensible concern.

These options should be treated the same as the proposed option to allow
passwordless connections: disallow creation or alteration of FDW connection
strings that use them by non-superusers. So a superuser can define a user
mapping that uses these options, but normal users may not.

-- 
 Craig Ringer   http://www.2ndQuadrant.com/
 2ndQuadrant - PostgreSQL Solutions for the Enterprise

Re: pgsql: Allow 'sslkey' and 'sslcert' in postgres_fdw user mappings

2020-01-09 Thread Christoph Berg

Re: Robert Haas 2020-01-09 

> Does this mean that a non-superuser can induce postgres_fdw to read an
> arbitrary file from the local filesystem?

Yes, see my comments in the "Allow 'sslkey' and 'sslcert' in
postgres_fdw user mappings" thread.

Christoph

Re: pgsql: Allow 'sslkey' and 'sslcert' in postgres_fdw user mappings

2020-01-09 Thread Robert Haas

On Thu, Jan 9, 2020 at 3:11 AM Andrew Dunstan  wrote:
> Allow 'sslkey' and 'sslcert' in postgres_fdw user mappings
>
> This allows different users to authenticate with different certificates.
>
> Author: Craig Ringer
>
> https://git.postgresql.org/pg/commitdiff/f5fd995a1a24e6571d26b1e29c4dc179112b1003

Does this mean that a non-superuser can induce postgres_fdw to read an
arbitrary file from the local filesystem?

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

Re: pgsql: Allow 'sslkey' and 'sslcert' in postgres_fdw user mappings

Re: pgsql: Allow 'sslkey' and 'sslcert' in postgres_fdw user mappings

Re: pgsql: Allow 'sslkey' and 'sslcert' in postgres_fdw user mappings

Re: pgsql: Allow 'sslkey' and 'sslcert' in postgres_fdw user mappings

4 matches

Site Navigation

Mail list logo

Footer information