On Thu, 9 Jan 2020 at 22:38, Christoph Berg <myon@debian.org> wrote:
Re: Robert Haas 2020-01-09 <CA+TgmoZEjyv_PD=2cinkbDA_chyLNAcBPL_9bKJQ6bc=nw+FHA@mail.gmail.com> > Does this mean that a non-superuser can induce postgres_fdw to read an > arbitrary file from the local filesystem?
Yes, see my comments in the "Allow 'sslkey' and 'sslcert' in postgres_fdw user mappings" thread.
Ugh, I misread your comment.
You raise a sensible concern.
These options should be treated the same as the proposed option to allow passwordless connections: disallow creation or alteration of FDW connection strings that use them by non-superusers. So a superuser can define a user mapping that uses these options, but normal users may not.