Gregory Stark wrote:
All that really has to happen is that dblink should by default not be callable by any user other than Postgres. DBAs should be required to manually run "GRANT EXECUTE ON dblink_connect(text) TO public;" if that's what he wants.
That serves the purpose of making PG "secure by default" (whatever that means exactly) well, and surely is a good short-term solution. But it severely limits the usefulness of dblink on setup where PG uses ident auth either via TCP or unix-sockets - there seems to be no way to securely users use dblink in such a setup. Therefore I think there should be a ToDO "Explore how dblink can be made safe if used together with ident authentication" or something similar. The ideal solution would IMHO be to authenticate a user using dblink as the user he used to connect to PG in the first place - but since ident is handled outside of PG that might be impossible to archive without some really bad hacks. So maybe just finding a way to disable ident auth for connections made via dblink is sufficient. greetings, Florian Pflug ---------------------------(end of broadcast)--------------------------- TIP 9: In versions below 8.0, the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match