Only superuser can set sslcert/sslkey in postgres_fdw user mappings

Othrwise there is a security risk. Discussion: https://postgr.es/m/20200109103014.GA4192@msg.df7cb.de
author: Andrew Dunstan <andrew@dunslane.net> 2020-01-13 18:08:09 +1030
committer: Andrew Dunstan <andrew@dunslane.net> 2020-01-13 18:08:09 +1030
commit: cebf9d6e6ee13cbf9f1a91ec633cf96780ffc985 (patch)
tree: 1726435c36284b74889b59ca3bb8c50abc669e6d
parent: 4e514c6180fbf71cf7a0171867c828c63afd1c37 (diff)
download: postgresql-cebf9d6e6ee13cbf9f1a91ec633cf96780ffc985.tar.gz
postgresql-cebf9d6e6ee13cbf9f1a91ec633cf96780ffc985.zip
4 files changed, 31 insertions, 1 deletions
diff --git a/contrib/postgres_fdw/expected/postgres_fdw.out b/contrib/postgres_fdw/expected/postgres_fdw.out
index 0912d6cd5e4..84fd3ad2e0c 100644
--- a/contrib/postgres_fdw/expected/postgres_fdw.out
+++ b/contrib/postgres_fdw/expected/postgres_fdw.out
@@ -8898,6 +8898,15 @@ SELECT * FROM ft1_nopw LIMIT 1;
  1111 |  2 |    |    |    |    | ft1        | 
 (1 row)
 
+-- unpriv user also cannot set sslcert / sslkey on the user mapping
+-- first set password_required so we see the right error messages
+ALTER USER MAPPING FOR CURRENT_USER SERVER loopback_nopw OPTIONS (SET password_required 'true');
+ALTER USER MAPPING FOR CURRENT_USER SERVER loopback_nopw OPTIONS (ADD sslcert 'foo.crt');
+ERROR:  sslcert and sslkey are superuser-only
+HINT:  User mappings with the sslcert or sslkey options set may only be created or modified by the superuser
+ALTER USER MAPPING FOR CURRENT_USER SERVER loopback_nopw OPTIONS (ADD sslkey 'foo.key');
+ERROR:  sslcert and sslkey are superuser-only
+HINT:  User mappings with the sslcert or sslkey options set may only be created or modified by the superuser
 -- We're done with the role named after a specific user and need to check the
 -- changes to the public mapping.
 DROP USER MAPPING FOR CURRENT_USER SERVER loopback_nopw;
diff --git a/contrib/postgres_fdw/option.c b/contrib/postgres_fdw/option.c
index 4a26056db08..c442af5bb96 100644
--- a/contrib/postgres_fdw/option.c
+++ b/contrib/postgres_fdw/option.c
@@ -159,6 +159,16 @@ postgres_fdw_validator(PG_FUNCTION_ARGS)
 						 errmsg("password_required=false is superuser-only"),
 						 errhint("User mappings with the password_required option set to false may only be created or modified by the superuser")));
 		}
+		else if (strcmp(def->defname, "sslcert") == 0 ||
+				 strcmp(def->defname, "sslkey") == 0)
+		{
+			/* similarly for sslcert / sslkey on user mapping */
+			if (catalog == UserMappingRelationId && !superuser())
+				ereport(ERROR,
+						(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+						 errmsg("sslcert and sslkey are superuser-only"),
+						 errhint("User mappings with the sslcert or sslkey options set may only be created or modified by the superuser")));
+		}
 	}
 
 	PG_RETURN_VOID();
diff --git a/contrib/postgres_fdw/sql/postgres_fdw.sql b/contrib/postgres_fdw/sql/postgres_fdw.sql
index f2a4089e9d3..acd7275c729 100644
--- a/contrib/postgres_fdw/sql/postgres_fdw.sql
+++ b/contrib/postgres_fdw/sql/postgres_fdw.sql
@@ -2567,6 +2567,7 @@ SELECT * FROM ft1_nopw LIMIT 1;
 -- Unpriv user cannot make the mapping passwordless
 ALTER USER MAPPING FOR CURRENT_USER SERVER loopback_nopw OPTIONS (ADD password_required 'false');
 
+
 SELECT * FROM ft1_nopw LIMIT 1;
 
 RESET ROLE;
@@ -2579,6 +2580,12 @@ SET ROLE regress_nosuper;
 -- Should finally work now
 SELECT * FROM ft1_nopw LIMIT 1;
 
+-- unpriv user also cannot set sslcert / sslkey on the user mapping
+-- first set password_required so we see the right error messages
+ALTER USER MAPPING FOR CURRENT_USER SERVER loopback_nopw OPTIONS (SET password_required 'true');
+ALTER USER MAPPING FOR CURRENT_USER SERVER loopback_nopw OPTIONS (ADD sslcert 'foo.crt');
+ALTER USER MAPPING FOR CURRENT_USER SERVER loopback_nopw OPTIONS (ADD sslkey 'foo.key');
+
 -- We're done with the role named after a specific user and need to check the
 -- changes to the public mapping.
 DROP USER MAPPING FOR CURRENT_USER SERVER loopback_nopw;
diff --git a/doc/src/sgml/postgres-fdw.sgml b/doc/src/sgml/postgres-fdw.sgml
index 812e62cb363..94992be4272 100644
--- a/doc/src/sgml/postgres-fdw.sgml
+++ b/doc/src/sgml/postgres-fdw.sgml
@@ -130,7 +130,7 @@
      </listitem>
      <listitem>
       <para>
-       <literal>sslkey</literal> and <literal>sslpassword</literal> - these may
+       <literal>sslkey</literal> and <literal>sslcert</literal> - these may
        appear in <emphasis>either or both</emphasis> a connection and a user
        mapping. If both are present, the user mapping setting overrides the
        connection setting.
@@ -140,6 +140,10 @@
    </para>
 
    <para>
+    Only superusers may create or modify user mappings with the
+    <literal>sslcert</literal> or <literal>sslkey</literal> settings.
+   </para>
+   <para>
     Only superusers may connect to foreign servers without password
     authentication, so always specify the <literal>password</literal> option
     for user mappings belonging to non-superusers.
author	Andrew Dunstan <andrew@dunslane.net>	2020-01-13 18:08:09 +1030
committer	Andrew Dunstan <andrew@dunslane.net>	2020-01-13 18:08:09 +1030
commit	cebf9d6e6ee13cbf9f1a91ec633cf96780ffc985 (patch)
tree	1726435c36284b74889b59ca3bb8c50abc669e6d
parent	4e514c6180fbf71cf7a0171867c828c63afd1c37 (diff)
download	postgresql-cebf9d6e6ee13cbf9f1a91ec633cf96780ffc985.tar.gz postgresql-cebf9d6e6ee13cbf9f1a91ec633cf96780ffc985.zip