Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1peIQl-0006ya-45 for pgsql-hackers@arkaria.postgresql.org; Mon, 20 Mar 2023 16:32:19 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1peIQj-0005Jz-Iu for pgsql-hackers@arkaria.postgresql.org; Mon, 20 Mar 2023 16:32:17 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1peIQi-0005Iw-PO for pgsql-hackers@lists.postgresql.org; Mon, 20 Mar 2023 16:32:16 +0000 Received: from mail-lj1-x22e.google.com ([2a00:1450:4864:20::22e]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1peIQg-0003oP-2M for pgsql-hackers@postgresql.org; Mon, 20 Mar 2023 16:32:15 +0000 Received: by mail-lj1-x22e.google.com with SMTP id e21so152449ljn.7 for ; Mon, 20 Mar 2023 09:32:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1679329932; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=DLYgUKftJHOIwl2hxDYVUSRTygdpTUAn4vYYJzMJ2K8=; b=FR61EPdCx5FeKue8S2n+RQhkpiUYPn0vNadZTXqdIcJKKRaxfS2XrJ4QOdDRTF5ua9 noVkOaIi3qclR09xs75ny+xivc0saFl4vpoy1lFJ0gzyX7QldcaYe7sFRCXIke6tVB4n vZ6ldGANNG30U7VQWAeEXAKhlQwGKYLG1wEHF25aUv6BEMRz6sJTXmraQFoAFCsZnLHT PupxVbxCsXDXYw15RpLSDv5t0GdlSl+K/pWDlumR28b3kovjx5UzhvjNdQz5+H4wHC5m q8uwtJxzwKh6rMkGtblznPspT0NmobOdYSt+3irfuUA6gMZt+Yy31H8b1XO2R/xEd9lV 9w9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679329932; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DLYgUKftJHOIwl2hxDYVUSRTygdpTUAn4vYYJzMJ2K8=; b=MESI0FkFTGO4xCNuKsokACS1jxMmG7B93UA66EkoFD2YIHm0z5+VMkW7wkFLyKFbgT zZ3Wql2kxKL3O07ML5w7VVilD6WGFLXy5H7/DEwVjDf+2mRdzVaHEVo6bJJe7aM7WNmV /9EdZyFkKFy4oJfdxCt+NND49KBfD2ZNjYgFyiF2vZPY0jgmypfTrQd94MvzHaSNp49A R5s5Krqd2Z8pIWLEPHX2GUR35gtrVbYyzRwfMbn3q3Ws46pclNUrNZtmYO11oFbYjuIH eLL3H5RlixQFPI3kufcEGWNgJJN9mJuTb/9pge4CAMgKJERDev+ZT+YmrOeTwAsHP6vV XSIQ== X-Gm-Message-State: AO0yUKW+eEmCQVK7jnR+Z6v+rvfIBWlu1qt8YvYNRwrLE4ibt2sPx4el 6/WQUTwakHLTe30n4jRdLJjhRwbq+0hHqiElVZA= X-Google-Smtp-Source: AK7set+3vDLE88XEeh+pQkuJYqLLh6cXbdlPTGCGC1w/pluL1WaJh+FCQVGKKBAidrXBVcD/sjeZxzPgWQLn/EEVTs4= X-Received: by 2002:a2e:994b:0:b0:298:a8d0:c84c with SMTP id r11-20020a2e994b000000b00298a8d0c84cmr191526ljj.10.1679329932089; Mon, 20 Mar 2023 09:32:12 -0700 (PDT) MIME-Version: 1.0 References: <66f55a6b9ff7bdd6bfd0d05e8fd8351690e69e23.camel@j-davis.com> <6ef7d0b0-3255-68c3-73b2-e6023b241222@timescale.com> <0768cedb-695a-8841-5f8b-da2aa64c8f3a@timescale.com> In-Reply-To: From: Robert Haas Date: Mon, 20 Mar 2023 12:32:00 -0400 Message-ID: Subject: Re: postgres_fdw, dblink, and CREATE SUBSCRIPTION security To: Jacob Champion Cc: Andres Freund , Mark Dilger , Jeff Davis , Amit Kapila , Andrew Dunstan , PostgreSQL-development Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Fri, Mar 10, 2023 at 7:00=E2=80=AFPM Jacob Champion wrote: > On Thu, Mar 9, 2023 at 6:17=E2=80=AFAM Robert Haas wrote: > > That seems like a circular argument. If you call the problem the > > confused deputy problem then the issue must indeed be that the deputy > > is confused, and needs to talk to someone else to get un-confused. But > > why is the deputy necessarily confused in the first place? Our deputy > > is confused because our code to decide whether to proxy a connection > > or not is super-dumb, > > No, I think our proxy is confused because it doesn't know what power > it has, and it can't tell the server what power it wants to use. That > problem is independent of the decision to proxy. You're suggesting > strengthening the code that makes that decision -- adding an oracle > (in the form of a DBA) that knows about the confusion and actively > mitigates it. That's guaranteed to work if the oracle is perfect, > because "perfect" is somewhat tautologically defined as "whatever > ensures secure operation". But the oracle doesn't reduce the > confusion, and DBAs aren't perfect. I think this is the root of our disagreement. My understanding of the previous discussion is that people think that the major problem here is the wraparound-to-superuser attack. That is, in general, we expect that when we connect to a database over the network, we expect it to do some kind of active authentication, like asking us for a password, or asking us for an SSL certificate that isn't just lying around for anyone to use. However, in the specific case of a local connection, we have a reliable way of knowing who the remote user is without any kind of active authentication, namely 'peer' authentication or perhaps even 'trust' if we trust all the local users, and so we don't judge it unreasonable to allow local connections without any form of active authentication. There can be some scenarios where even over a network we can know the identity of the person connecting with complete certainty, e.g. if endpoints are locked down such that the source IP address is a reliable indicator of who is initiating the connection, but in general when there's a network involved you don't know who the person making the connection is and need to do something extra to figure it out. If you accept this characterization of the problem, then I don't think the oracle is that hard to design. We simply set it up not to allow wraparound connections, or maybe even more narrowly to not allow wraparound connections to superuser. If the DBA has some weird network topology where that's not the correct rule, either because they want to allow wraparound connections or they want to disallow other things, then yeah they have to tell us what to allow, but I don't really see why that's an unreasonable expectation. I'd expect the correct configuration of the proxy facility to fall naturally out of what's allowed in pg_hba.conf. If machine A is configured to accept connections from machines B and C based on environmental factors, then machines B and C should be configured not to proxy connections to A. If machines B and C aren't under our control such that we can configure them that way, then the configuration is fundamentally insecure in a way that we can't really fix. I think that what you're proposing is that B and C can just be allowed to proxy to A and A can say "hey, by the way, I'm just gonna let you in without asking for anything else" and B and C can, when proxying, react to that by disconnecting before the connection actually goes through. That's simpler, in a sense. It doesn't require us to set up the proxy configuration on B and C in a way that matches what pg_hba.conf allows on A. Instead, B and C can automatically deduce what connections they should refuse to proxy. I guess that's nice, but it feels pretty magical to me. It encourages the DBA not to think about what B and C should actually be allowed to proxy, and instead just trust that the automatics are going to prevent any security disasters. I'm not sure that they always will, and I fear cultivating too much reliance on them. I think that if you're setting up a network topology where the correct rule is something more complex than "don't allow wraparound connections to superuser," maybe you ought to be forced to spell that rule out instead of letting the system deduce one that you hope will be right. --=20 Robert Haas EDB: http://www.enterprisedb.com