Обсуждение: pgsql: Re-validate connection string in libpqrcv_connect().
Re-validate connection string in libpqrcv_connect(). A superuser may create a subscription with password_required=true, but which uses a connection string without a password. Previously, if the owner of such a subscription was changed to a non-superuser, the non-superuser was able to utilize a password from another source (like a password file or the PGPASSWORD environment variable), which should not have been allowed. This commit adds a step to re-validate the connection string before connecting. Reported-by: Jeff Davis Author: Vignesh C Reviewed-by: Peter Smith, Robert Haas, Amit Kapila Discussion: https://www.postgresql.org/message-id/flat/e5892973ae2a80a1a3e0266806640dae3c428100.camel%40j-davis.com Backpatch-through: 16 Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/5c31669058b5550b4b3d623c07bc4203c11b8316 Modified Files -------------- doc/src/sgml/ref/create_subscription.sgml | 11 +-- .../libpqwalreceiver/libpqwalreceiver.c | 9 +++ src/test/subscription/t/027_nosuperuser.pl | 80 ++++++++++++++++++++++ 3 files changed, 95 insertions(+), 5 deletions(-)
On Fri, 2024-01-12 at 21:43 +0000, Jeff Davis wrote: > Re-validate connection string in libpqrcv_connect(). Looks like the test is causing problems on drogo: ERROR: could not connect to the publisher: connection to server at "127.0.0.1", port 54707 failed: FATAL: SSPI authentication failed for user "regress_test_user"' https://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=drongo&dt=2024-01-13%2002%3A41%3A35 I think we need to change the pg_hba.conf on the publisher before creating (or at least before enabling) the subscription. I might have to commit a trial fix unless someone can debug this more easily on drogo's configuration. I suppose I could also take out the test, but I like that it adds better coverage of the password_required setting. Regards, Jeff Davis
Jeff Davis <pgsql@j-davis.com> writes: >> Re-validate connection string in libpqrcv_connect(). > Looks like the test is causing problems on drogo: > ERROR: could not connect to the publisher: connection to server at > "127.0.0.1", port 54707 failed: FATAL: SSPI authentication failed for > user "regress_test_user"' I might be wrong, but I think the problem is lack of an auth_extra setting for that role. See for example 1e3f461e8. regards, tom lane