Participants
Peter Eisentraut
Peter Eisentraut
Tom Lane
Tom Lane
Attachments
Show all attachments
Thread Outline
#1Peter EisentrautPeter Eisentraut
Mar 24, 2025
#2Tom LaneTom Laneto Peter Eisentraut (#1)
Mar 26, 2025
#3Peter EisentrautPeter Eisentrautto Tom Lane (#2)
Mar 26, 2025

pgsql: postgres_fdw: improve security checks

Started by Peter Eisentrautover 1 year ago3 messagescomitters
Jump to latest
#1Peter Eisentraut
Peter Eisentraut
peter_e@gmx.net

postgres_fdw: improve security checks

SCRAM pass-through should not bypass the FDW security check as it was
implemented for postgres_fdw in commit 761c79508e7.

This commit improves the security check by adding new SCRAM
pass-through checks to ensure that the required SCRAM connection
options are not overwritten by the user mapping or foreign server
options. This is meant to match the security requirements for a
password-using connection.

Since libpq has no SCRAM-specific equivalent of
PQconnectionUsedPassword(), we enforce this instead by making the
use_scram_passthrough option of postgres_fdw imply
require_auth=scram-sha-256. This means that if use_scram_passthrough
is set, some situations that might otherwise have worked are
preempted, for example GSSAPI with delegated credentials. This could
be enhanced in the future if there is desire for more flexibility.

Reported-by: Jacob Champion <jacob.champion@enterprisedb.com>
Author: Matheus Alcantara <mths.dev@pm.me>
Co-authored-by: Jacob Champion <jacob.champion@enterprisedb.com>
Reviewed-by: Jacob Champion <jacob.champion@enterprisedb.com>
Discussion: /messages/by-id/CAFY6G8ercA1KES=E_0__R9QCTR805TTyYr1No8qF8ZxmMg8z2Q@mail.gmail.com

Branch
------
master

Details
-------
https://git.postgresql.org/pg/commitdiff/76563f88cfbd91696e7ebe568dead648f2d229ff

Modified Files
--------------
contrib/postgres_fdw/connection.c | 102 ++++++++++++++++++++++++++-----
contrib/postgres_fdw/t/001_auth_scram.pl | 41 +++++++++++++
doc/src/sgml/postgres-fdw.sgml | 11 +---
3 files changed, 132 insertions(+), 22 deletions(-)

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Peter Eisentraut (#1)
Re: pgsql: postgres_fdw: improve security checks

Peter Eisentraut <peter@eisentraut.org> writes:

postgres_fdw: improve security checks

This patch is failing on "drongo" [1]https://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=drongo&amp;dt=2025-03-25%2002%3A11%3A12. It looks like the problem
is that the pg_hba.conf file being used doesn't allow for TCP
loopback connections.

To make that safe, the test would have to be changed to not run by
default. We could gate it with a PG_TEST_EXTRA check ... but the
end result would likely be that it gets run by just about nobody.
I wonder whether it's worth the trouble.

regards, tom lane

[1]: https://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=drongo&amp;dt=2025-03-25%2002%3A11%3A12

#3Peter Eisentraut
Peter Eisentraut
peter_e@gmx.net
In reply to: Tom Lane (#2)
Re: pgsql: postgres_fdw: improve security checks

On 26.03.25 01:59, Tom Lane wrote:

Peter Eisentraut <peter@eisentraut.org> writes:

postgres_fdw: improve security checks

This patch is failing on "drongo" [1]. It looks like the problem
is that the pg_hba.conf file being used doesn't allow for TCP
loopback connections.

To make that safe, the test would have to be changed to not run by
default. We could gate it with a PG_TEST_EXTRA check ... but the
end result would likely be that it gets run by just about nobody.
I wonder whether it's worth the trouble.

This has been fixed.

← Back to Topics