"Tom Lane" <[EMAIL PROTECTED]> writes: > Gregory Stark <[EMAIL PROTECTED]> writes: >> All that really has to happen is that dblink should by default not be >> callable by any user other than Postgres. > > Yeah, that is not an unreasonable change. Someone suggested it far > upthread, but we seem to have gotten distracted :-(
On the subject of privilege escalation in contrib modules, I just did some quick searches. Other modules using suspect calls are: pg_adminpack, and tsearch2 (aside from pg_standby and pgbench which are stand-alone programs). It looks like pg_adminpack uses requireSuperuser religiously so that should be fine. tsearch2 looks kind of suspect though. I'm not very familiar with it but is there any protection against an attacker specifying arbitrary files as dictionary, thesaurus, or stemmer files, allowing the user to open a file as the postgres user instead of his own privileges? -- Gregory Stark EnterpriseDB http://www.enterprisedb.com ---------------------------(end of broadcast)--------------------------- TIP 3: Have you checked our extensive FAQ? http://www.postgresql.org/docs/faq
