diff options
| author | Andrew Dunstan <andrew@dunslane.net> | 2019-12-20 16:23:34 +1030 |
|---|---|---|
| committer | Andrew Dunstan <andrew@dunslane.net> | 2019-12-20 16:23:34 +1030 |
| commit | 6136e94dcb88c50b6156aa646746565400e373d4 (patch) | |
| tree | 41c6d3367fdae86234a8b796cabcd65a0c61c0a8 /doc/src | |
| parent | 16a4e4aecd47da7a6c4e1ebc20f6dd1a13f9133b (diff) | |
| download | postgresql-6136e94dcb88c50b6156aa646746565400e373d4.tar.gz postgresql-6136e94dcb88c50b6156aa646746565400e373d4.zip | |
Superuser can permit passwordless connections on postgres_fdw
Currently postgres_fdw doesn't permit a non-superuser to connect to a
foreign server without specifying a password, or to use an
authentication mechanism that doesn't use the password. This is to avoid
using the settings and identity of the user running Postgres.
However, this doesn't make sense for all authentication methods. We
therefore allow a superuser to set "password_required 'false'" for user
mappings for the postgres_fdw. The superuser must ensure that the
foreign server won't try to rely solely on the server identity (e.g.
trust, peer, ident) or use an authentication mechanism that relies on the
password settings (e.g. md5, scram-sha-256).
This feature is a prelude to better support for sslcert and sslkey
settings in user mappings.
Author: Craig Ringer.
Discussion: https://postgr.es/m/075135da-545c-f958-fed0-5dcb462d6dae@2ndQuadrant.com
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/postgres-fdw.sgml | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/doc/src/sgml/postgres-fdw.sgml b/doc/src/sgml/postgres-fdw.sgml index 1d4bafd9f06..4986b7f5b5d 100644 --- a/doc/src/sgml/postgres-fdw.sgml +++ b/doc/src/sgml/postgres-fdw.sgml @@ -136,6 +136,30 @@ authentication, so always specify the <literal>password</literal> option for user mappings belonging to non-superusers. </para> + <para> + A superuser may override this check on a per-user-mapping basis by setting + the user mapping option <literal>password_required 'false'</literal>, e.g. + <programlisting> + ALTER USER MAPPING FOR some_non_superuser SERVER loopback_nopw + OPTIONS (ADD password_required 'false'); + </programlisting> + To prevent unprivileged users from exploiting the authentication rights + of the unix user the postgres server is running as to escalate to superuser + rights, only the superuser may set this option on a user mapping. + </para> + <para> + Care is required to ensure that this does not allow the mapped + user the ability to connect as superuser to the mapped database per + CVE-2007-3278 and CVE-2007-6601. Don't set + <literal>password_required=false</literal> + on the <literal>public</literal> role. Keep in mind that the mapped + user can potentially use any client certificates, + <filename>.pgpass</filename>, + <filename>.pg_service.conf</filename> etc in the unix home directory of the + system user the postgres server runs as. They can also use any trust + relationship granted by authentication modes like <literal>peer</literal> + or <literal>ident</literal> authentication. + </para> </sect3> <sect3> |