Hi, On 2023-01-23 11:34:32 -0500, Robert Haas wrote: > I will admit that this is not an open-and-shut case, because a > passwordless login back to the bootstrap superuser account from the > local machine is a pretty common scenario and doesn't feel > intrinsically unreasonable to me, and I hadn't thought about that as a > potential attack vector.
I think it's 90% of the problem... There's IMO no particularly good alternative to a passwordless login for the bootstrap superuser, and it's the account you least want to expose... > > > I still think you're talking about a different problem here. I'm > > > talking about the problem of knowing whether local files are going to > > > be accessed by the connection string. > > > > Why is this only about local files, rather than e.g. also using the local > > user? > > Because there's nothing you can do about the local-user case. > > If I'm asked to attempt to connect to a PostgreSQL server, and I > choose to do that, and the connection succeeds, all I know is that the > connection actually succeeded. Well, there is PQconnectionUsedPassword()... Not that it's a great answer. Greetings, Andres Freund
