Participants
Jeff Davis
Jeff Davis
Tom Lane
Tom Lane
Attachments
Show all attachments
Thread Outline
#1Jeff DavisJeff Davis
Jan 12, 2024
#2Jeff DavisJeff Davisto Jeff Davis (#1)
Jan 13, 2024
#3Tom LaneTom Laneto Jeff Davis (#2)
Jan 16, 2024

pgsql: Re-validate connection string in libpqrcv_connect().

Started by Jeff Davisover 2 years ago3 messagescomitters
Jump to latest
#1Jeff Davis
Jeff Davis
pgsql@j-davis.com

Re-validate connection string in libpqrcv_connect().

A superuser may create a subscription with password_required=true, but
which uses a connection string without a password.

Previously, if the owner of such a subscription was changed to a
non-superuser, the non-superuser was able to utilize a password from
another source (like a password file or the PGPASSWORD environment
variable), which should not have been allowed.

This commit adds a step to re-validate the connection string before
connecting.

Reported-by: Jeff Davis
Author: Vignesh C
Reviewed-by: Peter Smith, Robert Haas, Amit Kapila
Discussion: /messages/by-id/e5892973ae2a80a1a3e0266806640dae3c428100.camel@j-davis.com
Backpatch-through: 16

Branch
------
master

Details
-------
https://git.postgresql.org/pg/commitdiff/5c31669058b5550b4b3d623c07bc4203c11b8316

Modified Files
--------------
doc/src/sgml/ref/create_subscription.sgml | 11 +--
.../libpqwalreceiver/libpqwalreceiver.c | 9 +++
src/test/subscription/t/027_nosuperuser.pl | 80 ++++++++++++++++++++++
3 files changed, 95 insertions(+), 5 deletions(-)

#2Jeff Davis
Jeff Davis
pgsql@j-davis.com
In reply to: Jeff Davis (#1)
Re: pgsql: Re-validate connection string in libpqrcv_connect().

On Fri, 2024-01-12 at 21:43 +0000, Jeff Davis wrote:

Re-validate connection string in libpqrcv_connect().

Looks like the test is causing problems on drogo:

ERROR: could not connect to the publisher: connection to server at
"127.0.0.1", port 54707 failed: FATAL: SSPI authentication failed for
user "regress_test_user"'

https://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=drongo&dt=2024-01-13%2002%3A41%3A35

I think we need to change the pg_hba.conf on the publisher before
creating (or at least before enabling) the subscription. I might have
to commit a trial fix unless someone can debug this more easily on
drogo's configuration.

I suppose I could also take out the test, but I like that it adds
better coverage of the password_required setting.

Regards,
Jeff Davis

#3Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Jeff Davis (#2)
Re: pgsql: Re-validate connection string in libpqrcv_connect().

Jeff Davis <pgsql@j-davis.com> writes:

Re-validate connection string in libpqrcv_connect().

Looks like the test is causing problems on drogo:

ERROR: could not connect to the publisher: connection to server at
"127.0.0.1", port 54707 failed: FATAL: SSPI authentication failed for
user "regress_test_user"'

I might be wrong, but I think the problem is lack of an auth_extra
setting for that role. See for example 1e3f461e8.

regards, tom lane

← Back to Topics