Stephen Frost wrote:
* Florian Pflug ([EMAIL PROTECTED]) wrote:
Gregory Stark wrote:
All that really has to happen is that dblink should by default not be callable
by any user other than Postgres. DBAs should be required to manually run
"GRANT EXECUTE ON dblink_connect(text) TO public;" if that's what he wants.
That serves the purpose of making PG "secure by default" (whatever that means
exactly) well, and surely is a good short-term solution.
But it severely limits the usefulness of dblink on setup where PG uses
ident auth either via TCP or unix-sockets - there seems to be no way to
securely users use dblink in such a setup.

Uh, have the admin create appropriate views.
I meant letting them use it to connect to abitrary databases and hosts, not
executing only predefined quries. My wording wasn't clear in that regard,
though.

Therefore I think there should be a ToDO
"Explore how dblink can be made safe if used together with ident authentication"
or something similar.

I disagree.  What dblink *does* is insecure and in general *shouldn't*
be something regular users can do.  That goes well and beyond just the
ident case, imv, but it's handy thing to point to atm.
I fail to see why dblink is any more insecure than, say, plpgsql or
plperl (not plperlu). It doesn't give any more priviliges than pgsql
would. The only exception IMHO are privileges that you get because
dblink issues that connection from a specific machine as a specific user.

What other security problems does dblink impose? Maybe I'm just being blind..

greetings, Florian Pflug


---------------------------(end of broadcast)---------------------------
TIP 4: Have you searched our list archives?

              http://archives.postgresql.org

Reply via email to