Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vWIA6-00GdcB-1G for pgsql-hackers@arkaria.postgresql.org; Thu, 18 Dec 2025 17:51:39 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vWIA4-003EmK-0M for pgsql-hackers@arkaria.postgresql.org; Thu, 18 Dec 2025 17:51:36 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vWIA3-003Em4-2Y for pgsql-hackers@lists.postgresql.org; Thu, 18 Dec 2025 17:51:36 +0000 Received: from mail-qk1-x72d.google.com ([2607:f8b0:4864:20::72d]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1vWIA2-001S9N-0J for pgsql-hackers@postgresql.org; Thu, 18 Dec 2025 17:51:35 +0000 Received: by mail-qk1-x72d.google.com with SMTP id af79cd13be357-8c07bc2ad13so30251785a.2 for ; Thu, 18 Dec 2025 09:51:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1766080292; x=1766685092; darn=postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=ThBvlQxSBn6F5s5kDMyqmbnEO/2vJuEfNlL86pcjzok=; b=OMBnWfYtI5TblY3A+YxquV8GGSKGv6esRhi9v8NEnrkW2P7HzgRzOh4UUCC9FEGApr pWxD506zGcbN9SuJRrIFd/1g3OTckwjJpCWTw2N7x3ou+pIFC49PYuO00rwEHSHjpXte 6yht9d/ornf03xebsafN8w2QBGp5mYWRn9Ts3NZmt6R9ANzZeqMJk+2Fy6u4PcAIOCGb uZLBs0BS4iQZ4V7zH2L4ihZQiHuZPw+xXVpfkIlMyCfI35veTdBds9ufHjdZ69Yh4XGx kdkZknTK0c5Xpjm/EfO9rbHceJDjD0as6KFjLzpxug1Qa53qKfQka6Nl/xgTzhjvMv6J xtUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766080292; x=1766685092; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=ThBvlQxSBn6F5s5kDMyqmbnEO/2vJuEfNlL86pcjzok=; b=nr4/zGJYGIxJbbRWQvG/j1dCRnq1j4y4bWu/DkCGExSEFjrlAOvt0dBji7uj1Kmit0 QDkYFs21OrhMW1HMEq3Xr9ExukVSKyc5j2tiijUyqv45zaNjyTGbuhYyF4z/oEK+wSTy h6724BKnQi146uxDwkbG4evIAGORdP6L5rqKnrgDAnjAfTEjgpduRxSbK5Z/mh7S8IFO hNJxGmdMs1TkGy9kBT5RZJH53QU7t4sx/vGxLuPjdMI73hICfHCEd3OA2Btz5d69ghyy J1GWd8QTxyjpKgO9ezYVemc7k7PZS1Toqd30LMKgM0ecNxHOdigegflbxo283Ekb98n7 YmAQ== X-Forwarded-Encrypted: i=1; AJvYcCVZ7D0xFTqq70v/C/IGVpy+1ftSotBFOXCajNbTfsaQrZuWEVK+WddcHuq7N/Rd55ZBZOqSKNN/qK0sZfY1@postgresql.org X-Gm-Message-State: AOJu0Yxje8i2idkYjhJN1SODk4TD5Lln8duCNbREM6bZxxVxzTZzJPit ga9qUKYR73tcm1ybeVXudgQdEK6K4ozmUmxjkk6f2F9WcynoWColfs4/d7hXHCl00xp8g4OCK/v dnjZZF+0oXa5AdvLUSCglagYEw3VrT3Ujs0Xs2V8U X-Gm-Gg: AY/fxX5zkgA/b7a1DqLKjpf/hyb1pVh6GYBROscp0YGLwsxaWTtsKwAShllBjLxYvf5 G22LWvQyLdIjbsKREy6XALlwBFIIJZnshhXIMmEFp3yLX4NYHHurKVg8zfgcd4WKWer4+HUkgrw cdxQIXp0v0VkdOmOKbAEHxzjAG6HgEePzjNPmvmWu06G5n9cQJIhETX+qXmtP1bDwGqZckcisWK 2VbTh7h02taEciRueSdaisQYlFmMvypDHkBFKvXqjskpOgWmF/jZsjAISPORlf8X9e5fYTF8g== X-Google-Smtp-Source: AGHT+IG8+bTkcW6pa/6sff/tn1Ra15ifVEvGRYLfQcfYcWmtDhenj/+6fws37hNr9w4d+sGUDwXckkXL7qXuwivhD7c= X-Received: by 2002:a05:620a:469e:b0:8a3:90c:55fb with SMTP id af79cd13be357-8c08fbdf0c8mr75100385a.20.1766080291758; Thu, 18 Dec 2025 09:51:31 -0800 (PST) MIME-Version: 1.0 References: <16a91d02795cb991963326a902afa764e4d721db.camel@gmail.com> <3D82D240-1CC5-4CE6-BE30-6065B693D40C@yesql.se> In-Reply-To: From: Jacob Champion Date: Thu, 18 Dec 2025 09:51:20 -0800 X-Gm-Features: AQt7F2ouyYkCQjoi68SMA3ki00MvaOtS29m4L6GGXDxby5MQUshXFdLP5UAq6Dg Message-ID: Subject: Re: Make PGOAUTHCAFILE in libpq-oauth work out of debug mode To: Zsolt Parragi Cc: Daniel Gustafsson , "Jonathan Gonzalez V." , PostgreSQL Hackers Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Wed, Dec 17, 2025 at 5:15=E2=80=AFAM Zsolt Parragi wrote: > > I don't disagree. But at this point in these conversations, the > > question posed is typically "is the new risk/reward tradeoff any worse > > than PGSSLROOTCERT or PGSSLMODE or PGSERVICEFILE (or LD_LIBRARY_PATH > > or PATH)?" I'd say no, not enough to introduce a new way of > > configuring things for this particular setting. > > Those are also bad, but there are also parameter alternatives for all of = them. But if the concern is security, the existence of the parameter alternatives doesn't really seem to help you. > > 2) Do you want these settings to be part of a postgres:// URI? > > Not for debug settings, but if everyone agrees on splitting the CA > into its own setting, it could behave the same way as > sslrootcert/PGSSLROOTCERT. I don't know if everyone does, but I've seen no pushback yet, so I plan to do so (parameter + envvar). I only nested it under debug settings because I thought there was no production use case, and now that Jonathan is saying "yes, I have a production case", that seems good enough. I don't think I need to raise the bar any more than that. > > Mmm... I'd say that application developers always have to be aware of > > user environment changes in the context of any Linux programming, let > > alone libpq client development. The user is generally in partial > > control of the linker. Nearly every libpq setting is accessible via > > the environment. (setuid programming is its own specialized skillset > > for a reason.) > > My concern is not somebody developing libpq directly on Linux, but > more complex situations. Understood (and I'd like to make this better too). But see below. > This is also probably a separate discussion, but what do you think > about introducing a parameter that disables environment variable > fallbacks? Both for existing variables like PGSSLROOTCERT and > new/debug variables like PGOAUTHCAFILE. (by default everything works > as currently; when specified environment variables are ignored) I like the idea of more application control over this, generally. I think the concern that's been raised before, for example with the superuser-can-do-too-much conversations, is: Piecemeal improvements, without a consensus on the end goal, can paradoxically make things less secure. Because now users have a harder time reasoning about the system's behavior and designing for it. It's even worse if committers can't reason about it and start working at cross purposes. For example, if we lock down our envvars and then immediately farm security-critical decisions out to Kerberos or Curl or PAM or etc. which use their own envvars, in what cases is that better than telling application developers that hey, you always need to be careful about sanitizing your environment if you somehow don't trust it? I don't really know (hand-wavy), and I think proposals would need to provide good arguments in favor. Definitely a separate discussion. Thanks, --Jacob