Gregory Stark wrote:
All that really has to happen is that dblink should by default not be callable
by any user other than Postgres. DBAs should be required to manually run
"GRANT EXECUTE ON dblink_connect(text) TO public;" if that's what he wants.
Advertising
That serves the purpose of making PG "secure by default" (whatever that means
exactly) well, and surely is a good short-term solution.
But it severely limits the usefulness of dblink on setup where PG uses
ident auth either via TCP or unix-sockets - there seems to be no way to
securely users use dblink in such a setup.
Therefore I think there should be a ToDO
"Explore how dblink can be made safe if used together with ident authentication"
or something similar.
The ideal solution would IMHO be to authenticate a user using dblink as
the user he used to connect to PG in the first place - but since ident is
handled outside of PG that might be impossible to archive without some
really bad hacks. So maybe just finding a way to disable ident auth for
connections made via dblink is sufficient.
greetings, Florian Pflug
---------------------------(end of broadcast)---------------------------
TIP 9: In versions below 8.0, the planner will ignore your desire to
choose an index scan if your joining column's datatypes do not
match
