database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-06-11 20:28:21 +03:00
Code Activity

Only superuser can set sslcert/sslkey in postgres_fdw user mappings

Browse Source 
Othrwise there is a security risk.

Discussion: https://postgr.es/m/20200109103014.GA4192@msg.df7cb.de
This commit is contained in:
Andrew Dunstan
2020-01-13 18:08:09 +10:30
parent 4e514c6180
commit cebf9d6e6e
4 changed files with 31 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
contrib/postgres_fdw/expected/postgres_fdw.out
View File

@ -8898,6 +8898,15 @@ SELECT * FROM ft1_nopw LIMIT 1;
1111 | 2 | | | | | ft1 |
(1 row)
-- unpriv user also cannot set sslcert / sslkey on the user mapping
-- first set password_required so we see the right error messages
ALTER USER MAPPING FOR CURRENT_USER SERVER loopback_nopw OPTIONS (SET password_required 'true');
ALTER USER MAPPING FOR CURRENT_USER SERVER loopback_nopw OPTIONS (ADD sslcert 'foo.crt');
ERROR: sslcert and sslkey are superuser-only
HINT: User mappings with the sslcert or sslkey options set may only be created or modified by the superuser
ALTER USER MAPPING FOR CURRENT_USER SERVER loopback_nopw OPTIONS (ADD sslkey 'foo.key');
ERROR: sslcert and sslkey are superuser-only
HINT: User mappings with the sslcert or sslkey options set may only be created or modified by the superuser
-- We're done with the role named after a specific user and need to check the
-- changes to the public mapping.
DROP USER MAPPING FOR CURRENT_USER SERVER loopback_nopw;