Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pmfCA-0001RU-64 for pgsql-hackers@arkaria.postgresql.org; Wed, 12 Apr 2023 18:27:50 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1pmfC9-0001Lv-4T for pgsql-hackers@arkaria.postgresql.org; Wed, 12 Apr 2023 18:27:49 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pmf94-0004ed-TZ for pgsql-hackers@lists.postgresql.org; Wed, 12 Apr 2023 18:24:39 +0000 Received: from mail-pj1-x1029.google.com ([2607:f8b0:4864:20::1029]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1pmf92-0003TW-66 for pgsql-hackers@postgresql.org; Wed, 12 Apr 2023 18:24:37 +0000 Received: by mail-pj1-x1029.google.com with SMTP id 98e67ed59e1d1-246f856d751so158300a91.0 for ; Wed, 12 Apr 2023 11:24:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=timescale.com; s=google; t=1681323875; x=1683915875; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=rpTtZQT1699uljCKN79Bo8l8CQx8Kzn1x8C0MiUtsCA=; b=JiBn2D4hiZha2RuG3OqU5z+MqPcSnjESpOCIIj3FbRaDqldunNIZjuXVCvZm7uk/AL zDGiy3YVux8QdbJdIud6Iv+nnhCGc+O8rK1Y2ADZRzDqpgR3AbzU8dEBu5ZRLOeT4li2 90F20YSMrGIvr7AS0dP81CUL1iEQwVn0A34f8+OuVCLWgURJEfvPwYtAWA9tD1a+voRO Zv6bsx4397hrHhaoUC94DCur1qvpzsibwK9d6tdkfynZoXtJys4Al9Jrle7fZ1ryE2ai nN/n6Or99MNuiKbL7Pv6kH20HX0dFCxxp0C7H4ZVKalnUUBTsYq4+G0Vav9zFSEMB7Rt 3CTg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681323875; x=1683915875; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=rpTtZQT1699uljCKN79Bo8l8CQx8Kzn1x8C0MiUtsCA=; b=i2p3INJh730cpI4gxMOrEmlNyuHBT1uL30YETYlhdVXLRA2zxJRHLkgQupDlU92G1t JTZkYbHAe3c0OkMHJ4fWy8dlC1CL3u40LvbnKp89HT7TofHzb8z6U0MFZllaL9W+48tZ Q0KuTTlONxQiCgbFw398fbcNEeNcoDDvcX5Q3WpDWCHyI6Ex+iOxIeRdxFOHahrQxL6n 1f0huXZgSku/D+YuQY3X3OyWrjEGXACqUGIdOzjDdHgyofCeQHpc/7mqdMuM7LIDEWxi 46S4nSNtpIVaN8MnG/7WALwnN6dXEdrTFyGa6LI/S6+9T0qJue2rdY6GhfzUxYFgEztL r9eg== X-Gm-Message-State: AAQBX9d6pxphg9uxgjFGN4jmuRVSg4Mu3Y/DkDEKD2g9LXUSJ9ran59k A6T8nzeD+J+kdkvt4ioakzAUjA== X-Google-Smtp-Source: AKy350bIu/WnQJVzBIhh0UGXdOFf76s8DzGjsv7BUAo+X4Gwcgdij4exP1BWwisCaOQ+wrzcToHzzw== X-Received: by 2002:a05:6a00:179c:b0:63b:2102:a1c8 with SMTP id s28-20020a056a00179c00b0063b2102a1c8mr1764707pfg.12.1681323874753; Wed, 12 Apr 2023 11:24:34 -0700 (PDT) Received: from [192.168.1.21] ([50.53.8.205]) by smtp.gmail.com with ESMTPSA id e14-20020a62aa0e000000b0063b1b84d54csm1193112pff.213.2023.04.12.11.24.34 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 12 Apr 2023 11:24:34 -0700 (PDT) Message-ID: <92c072dd-d979-8c74-d133-cb4a37a44124@timescale.com> Date: Wed, 12 Apr 2023 11:24:33 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.7.1 Subject: Re: postgres_fdw, dblink, and CREATE SUBSCRIPTION security Content-Language: en-US To: Stephen Frost Cc: Robert Haas , Andres Freund , Mark Dilger , Jeff Davis , Amit Kapila , Andrew Dunstan , PostgreSQL-development References: <29c017e5-a84d-3ff7-c049-1cc0c7ccbb4d@timescale.com> From: Jacob Champion In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 3/30/23 11:13, Stephen Frost wrote: >> Okay, but this is walking back from the network example you just >> described upthread. Do you still consider that in scope, or...? > > The concern around the network certainly needs to be in-scope overall. Sounds good! > Who are we trusting with what? In particular, I'd argue that the user > who is able to install the postgres_fdw extension and the user who is > able to issue the CREATE SERVER are largely trusted; at least in so far > as the user doing CREATE SERVER is allowed to create the server and > through that allowed to make outbound connections from the Proxy. > > Therefore, the Proxy is configured with postgres_fdw and with a trusted > user performing the CREATE SERVER. > > What doesn't this handle today? Connection side-effects are one > problem- once the CREATE SERVER is done, any user with USAGE rights on > the server can create a USER MAPPING for themselves, either with a > password or without one (if they're able to proxy GSS credentials to the > system). They aren't able to set password_required though, which > defaults to true. However, without having require_auth set, they're > able to cause the Proxy to reach an authentication stage with the Target > that might not match what credentials they're supposed to be providing. > > We attempt to address this by checking post-auth to Target that we used > the credentials to connect that we expected to- if GSS credentials were > proxied, then we expect to use those. If a password was provided then > we expect to use a password to auth (only checked after we see if GSS > credentials were proxied and used). The issue here is 'post-auth' bit, > we'd prefer to fail the connection pre-auth if it isn't what we're > expecting. Right. Keep in mind that require_auth is post-auth, though; it can't fix that issue, so it doesn't fix any connection side-effect problems at all. > Should we then explicit set require_auth=gss when GSS > credentials are proxied? Also, if a password is provided, then > explicitly set require_auth=scram-sha-256? Or default to these, at > least, and allow the CREATE SERVER user to override our choices? Or > should it be a USER MAPPING option that's restricted? Or not? IMO, yes -- whatever credentials the proxy is forwarding from the user, the proxy should be checking that the server has actually used them. The person with the ability to create a USER MAPPING should probably not have the ability to override that check. >>> I think that what you're proposing is that B and C can just be allowed >>> to proxy to A and A can say "hey, by the way, I'm just gonna let you >>> in without asking for anything else" and B and C can, when proxying, >>> react to that by disconnecting before the connection actually goes >>> through. That's simpler, in a sense. It doesn't require us to set up >>> the proxy configuration on B and C in a way that matches what >>> pg_hba.conf allows on A. Instead, B and C can automatically deduce >>> what connections they should refuse to proxy. >> >> Right. It's meant to take the "localhost/wraparound connection" out of a >> class of special things we have to worry about, and make it completely >> boring. > > Again, trying to get at a more concrete example- the concern here is a > user with CREATE SERVER ability could leverage that access to become a > superuser if the system is configured with 'peer' access, right? Or 'trust localhost', or 'ident [postgres user]', yes. > A > non-superuser is already prevented from being able to set > "password_required=false", perhaps we shouldn't allow them to set > "require_auth=none" (or have that effect) either? I think that sounds reasonable. > Perhaps the system > should simply forcibly set require_auth based on the credentials > provided in the USER MAPPING or on the connection and have require_auth > otherwise restricted to superuser (who could override it if they'd > really like to)? Perhaps if password_required=false we implicitly > un-set require_auth, to avoid having to make superusers change their > existing configurations where they've clearly already accepted that > credential-less connections are allowed. Mm, I think I like the first idea better. If you've set a password, wouldn't you like to know if the server ignored it? If password_required is false, *and* you don't have a password, then we can drop require_auth without issue. > Automatically setting require_auth and restricting the ability of it to > be set on user mappings to superusers doesn't strike me as terribly > difficult to do and seems like it'd prevent this concern. > > Just to make sure I'm following- Robert's up-thread suggestion of an > 'outbound pg_hba' would be an additional restriction when it comes to > what a user who can use CREATE SERVER is allowed to do? Yes. That can provide additional safety in the case where you really need to take the require_auth checks away for whatever reason. I think it's just a good in-depth measure, and if we don't extend the protocol in some way to do a pre-auth check, it's also the way for the DBA to bless known-good connection paths. Thanks, --Jacob