Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vVa69-005HIX-24 for pgsql-hackers@arkaria.postgresql.org; Tue, 16 Dec 2025 18:48:38 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vVa68-0087ki-1x for pgsql-hackers@arkaria.postgresql.org; Tue, 16 Dec 2025 18:48:37 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vVa68-0087ka-0s for pgsql-hackers@lists.postgresql.org; Tue, 16 Dec 2025 18:48:37 +0000 Received: from mail-qv1-xf2d.google.com ([2607:f8b0:4864:20::f2d]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1vVa65-0015zC-0m for pgsql-hackers@postgresql.org; Tue, 16 Dec 2025 18:48:36 +0000 Received: by mail-qv1-xf2d.google.com with SMTP id 6a1803df08f44-8888a16d243so40314536d6.1 for ; Tue, 16 Dec 2025 10:48:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1765910911; x=1766515711; darn=postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=dpvEnOh5j/DaKqIaOvNGRE6Qt7mTbCtZFc9/6PRipoM=; b=gFnu5DPVPatItEE0IhC+RgcP9TMF1uO9Oz0Uf1gN6o8hp6SZY0lYqlgigMI3tKPQtf myPIt0b88gr/tEYxwmx5KCsbkCKO/6Fc3wAJJ4TwlJTJtyb0JNgBTSh8N7J3v//KKA8Q 2oNVIbGIJkxXG+NcrhQok/X9efOlaXo+0KgzO3+K7vJ0V2W2/irpa762v/mzquzJnG5y 5XNJyCOWcfrPWqVqO8ygpHELURQ4BPlYtyM9J8QcV9wS2OgUAHUI07aB+pmIhi8+Hwz9 4jaey1ldGVpPRjq26CWyiwHp9lYl/ltNMmzTQ9OFeO4y4wLfDIRAn0Ya3Egf24jYbXlH JkgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765910911; x=1766515711; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=dpvEnOh5j/DaKqIaOvNGRE6Qt7mTbCtZFc9/6PRipoM=; b=PVf7w4MesA1K+9ZQzxtPk62mLR5Hrc99jLa4WQ3jHNtlqSDXs8JZSC1Dcku6y6QaDI RrpZ98aOd7G9Zjb5mdx6X0sxV/fMJWj1A4Xeo9FlV9Oq2wFoHwoHZ4ZXZWbkzOij1OX6 x+OWd7gxvSd59P6bXI3CD3VqQzlZYOIbN/jqsvtGOq1rD+Fh+3HZApa5aQf6tC+ZP2+k 3QtWfgL+POaUVztCf9GSgChaEh/nEVoMXQ0AYgsdR06kfIdfSZqpWP49NyB4nrDtSbhA YVImng4TNLkEmuHSZx3AWrU1kZnxoCQ5ia1kOHWXX9MtJ7j54zsS+49Y3X7GKVye7BRQ lfUw== X-Forwarded-Encrypted: i=1; AJvYcCX2E8ZgPqTNFGxxb877A7Nkcvxgl4bZ3hBqOa3nqwlKSArvyx2FV9tvHRmi3CxGhSuR7p3lr3H34TPlk6/S@postgresql.org X-Gm-Message-State: AOJu0YwyEoOdGCjJ7pS5iLZIVpXlHyBSBvjUP0H8t9EgrA7NXb7HBcyr 2Ys0lZnLSNr7UuYeIeBh0Wh9io1KMdsVXLAz2EjiS6VeDltnWJfev9d4XLENfi3O8eQHkS4Xpyn FBqiuipMCdD9XwLIlDbRxm0nGEJWkQCxAT+NrAXG3 X-Gm-Gg: AY/fxX4zArh6etslo+MnVE0wwnA/oMM4QVbepScwWaRV1TNAGWHu48VUM2ScB1w1mLN xP3J3qduWtwUoZW+OobytK4YsHTFeWN/yxs/v4sUftF71/uy1MP5fzlwJ7ryKNuhPLec4b7KEL4 zwSmMwUIHwRoR+7lIpMrCJIVy3zKe8R8twUAz+C/fqhgO5fx0AzMJXtgFv5lZrIjkiH6h6E6cmi 0fi/HIXE0MP25lf6BRIRShQMzV5vNyb6e94/tUmtNSHPbk9ICbMRpi9bdWPJuNM2/+ZfE4hXQ== X-Google-Smtp-Source: AGHT+IFKY/cUF/C66NYiHMzLwE5htJijWYsGsNShKNExq1uLz2xaYiuP/QvMbd9UGELHfJ7O71NIPF1z3ZKBC/gHAJY= X-Received: by 2002:a0c:eb45:0:b0:888:89fd:a720 with SMTP id 6a1803df08f44-88889fda9a9mr145623956d6.11.1765910910682; Tue, 16 Dec 2025 10:48:30 -0800 (PST) MIME-Version: 1.0 References: <16a91d02795cb991963326a902afa764e4d721db.camel@gmail.com> <3D82D240-1CC5-4CE6-BE30-6065B693D40C@yesql.se> In-Reply-To: From: Jacob Champion Date: Tue, 16 Dec 2025 10:48:18 -0800 X-Gm-Features: AQt7F2qmAEgxKSRnyRozHjpGFERZQico1eqhzphR8MQh5jvZgF0e1KSZeHFxXJE Message-ID: Subject: Re: Make PGOAUTHCAFILE in libpq-oauth work out of debug mode To: Zsolt Parragi Cc: Daniel Gustafsson , "Jonathan Gonzalez V." , PostgreSQL Hackers Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Fri, Dec 12, 2025 at 3:05=E2=80=AFAM Zsolt Parragi wrote: > I implemented a simple patch based on the above suggestion > (PGOAUTHDEBUG=3DUNSAFE:http...). Thank you! > I added the new functions into a common source file which gets > included in both the oauth module and libpq. I'm not entirely happy > about this, but I didn't see a better way without duplicating the > code. Yeah, I'm not entirely happy about it either. Let me think about some alternatives... pgcommon is a possibility, as is reworking the API so that it's more ephemeral (these probably don't need to be super performant, so an `inline static` header implementation that reparses the envvar each time might work). > My concern, which is also there with the current version: is an > environment variable the best way to control these settings in a > library included into many applications? Wouldn't it be better to make > these settings in libpq (or the oauth module), and only add the > environment variables to psql? 1) Do you plan to be setting debug variables in production? 2) Do you want these settings to be part of a postgres:// URI? For me the answer to both is "no", so I'm not too excited about adding these as libpq connection parameters. Did you have another idea in mind? > This can be used to inject a CA into an application without the user > noticing it, I don't disagree. But at this point in these conversations, the question posed is typically "is the new risk/reward tradeoff any worse than PGSSLROOTCERT or PGSSLMODE or PGSERVICEFILE (or LD_LIBRARY_PATH or PATH)?" I'd say no, not enough to introduce a new way of configuring things for this particular setting. I've argued in the other direction before [1], but I still feel good about that, because I think a global keylogfile is more sensitive than this. > or without the application developer being aware of the > possibility. Mmm... I'd say that application developers always have to be aware of user environment changes in the context of any Linux programming, let alone libpq client development. The user is generally in partial control of the linker. Nearly every libpq setting is accessible via the environment. (setuid programming is its own specialized skillset for a reason.) Now, if there's any appetite to make the situation better, continuing to add security-critical settings into the environment makes things worse for anyone who wants to propose an alternative. But that's where we stood as of the last related conversation I was involved in. > But by splitting the setting into multiple flags, > this can go unnoticed even in a console application. Because it's not obviously spraying output all the time, you mean? We could perhaps be noisier when any UNSAFE setting is in use. > Another question is what to do with the CA file - currently it remains > a separate (environment) variable, but maybe it could be included in > the option string instead: > PGOAUTHDEBUG=3DUNSAFE:custom-ca=3D/path/to/the/file I think I've been convinced by the existence of this thread that we should split PGOAUTHCAFILE out of debug options entirely, pending the resolution of some of the open questions. Thanks, --Jacob [1] https://postgr.es/m/CAOYmi%2BmY7zBXTqJT6EYP_6sdk7ro8L8ByToKb4f-hU5qnpOx= hw%40mail.gmail.com