On Thu, Jan 9, 2020 at 5:30 AM Christoph Berg <m...@debian.org> wrote: > I have some concerns about security, though. It's true that the > sslcert/sslkey options can only be set/modified by superusers when > "password_required" is set. But when password_required is not set, any > user and create user mappings that reference arbitrary files on the > server filesystem. I believe the options are still used in that case > for creating connections, even when that means the remote server isn't > set up for cert auth, which needs password_required=false to succeed. > > In short, I believe these options need explicit superuser checks.
I share the concern about the security issue here. I can't testify to whether Christoph's whole analysis is here, but as a general point, non-superusers can't be allowed to do things that cause the server to access arbitrary local files. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
