On Fri, 10 Jan 2020 at 06:16, Andrew Dunstan
wrote:
> On Fri, Jan 10, 2020 at 8:32 AM Tom Lane wrote:
> >
> > Andrew Dunstan writes:
> > > On Fri, Jan 10, 2020 at 1:21 AM Robert Haas
> wrote:
> > >> I share the concern about the security issue here. I can't testify to
> > >> whether Christoph'
On Fri, Jan 10, 2020 at 8:32 AM Tom Lane wrote:
>
> Andrew Dunstan writes:
> > On Fri, Jan 10, 2020 at 1:21 AM Robert Haas wrote:
> >> I share the concern about the security issue here. I can't testify to
> >> whether Christoph's whole analysis is here, but as a general point,
> >> non-superuser
Andrew Dunstan writes:
> On Fri, Jan 10, 2020 at 1:21 AM Robert Haas wrote:
>> I share the concern about the security issue here. I can't testify to
>> whether Christoph's whole analysis is here, but as a general point,
>> non-superusers can't be allowed to do things that cause the server to
>> a
> On 9 Jan 2020, at 22:38, Andrew Dunstan
> wrote:
> I'm not (yet)
> convinced that there is any significant security threat here. This
> doesn't give the user or indeed any postgres code any access to the
> contents of these files. But if there is a consensus to restrict this
> I'll do it.
I'v
On Fri, Jan 10, 2020 at 1:21 AM Robert Haas wrote:
>
> On Thu, Jan 9, 2020 at 5:30 AM Christoph Berg wrote:
> > I have some concerns about security, though. It's true that the
> > sslcert/sslkey options can only be set/modified by superusers when
> > "password_required" is set. But when password_
On Thu, Jan 9, 2020 at 5:30 AM Christoph Berg wrote:
> I have some concerns about security, though. It's true that the
> sslcert/sslkey options can only be set/modified by superusers when
> "password_required" is set. But when password_required is not set, any
> user and create user mappings that
Re: To Andrew Dunstan 2020-01-09 <20200109103014.ga4...@msg.df7cb.de>
> I believe the options are still used in that case
> for creating connections, even when that means the remote server isn't
> set up for cert auth, which needs password_required=false to succeed.
They are indeed:
stat("/var/li
Re: To Andrew Dunstan 2020-01-09 <20200109103014.ga4...@msg.df7cb.de>
> sslcert/sslkey options can only be set/modified by superusers when
> "password_required" is set. But when password_required is not set, any
> user and create user mappings that reference arbitrary files on the
> server filesyst
Re: Andrew Dunstan 2019-11-01
> {"password_required", UserMappingRelationId, false},
> + /*
> + * Extra room for the user mapping copies of sslcert and
> sslkey. These
> + * are really libpq options but we repeat them here to allow
> them to
>
On Wed, Jan 8, 2020 at 7:36 PM Peter Eisentraut
wrote:
>
> On 2019-12-02 00:12, Andrew Dunstan wrote:
> > On 11/30/19 8:48 PM, Michael Paquier wrote:
> >> On Thu, Oct 31, 2019 at 07:54:41PM -0400, Andrew Dunstan wrote:
> >>> This patch achieves $SUBJECT and also provides some testing of the
> >>>
On 2019-12-02 00:12, Andrew Dunstan wrote:
On 11/30/19 8:48 PM, Michael Paquier wrote:
On Thu, Oct 31, 2019 at 07:54:41PM -0400, Andrew Dunstan wrote:
This patch achieves $SUBJECT and also provides some testing of the
sslpassword setting.
The patch does not apply anymore, so a rebase is needed
On 11/30/19 8:48 PM, Michael Paquier wrote:
> On Thu, Oct 31, 2019 at 07:54:41PM -0400, Andrew Dunstan wrote:
>> This patch achieves $SUBJECT and also provides some testing of the
>> sslpassword setting.
> The patch does not apply anymore, so a rebase is needed. As it has
> not been reviewed, I
On Thu, Oct 31, 2019 at 07:54:41PM -0400, Andrew Dunstan wrote:
> This patch achieves $SUBJECT and also provides some testing of the
> sslpassword setting.
The patch does not apply anymore, so a rebase is needed. As it has
not been reviewed, I am moving it to next CF, waiting on author.
--
Michae
13 matches
Mail list logo
