Tom Lane wrote:
Gregory Stark <[EMAIL PROTECTED]> writes:
My objection is that I think we should still revoke access for non-superuser
by default. The patch makes granting execute reasonable for most users but
nonetheless it shouldn't be the default.
Being able to connect to a postgres server shouldn't mean being able to open
tcp connections *from* that server to arbitrary other host/ports.
You forget that dblink isn't even installed by default. I could see
having some more verbiage in the documentation explaining these possible
security risks, but making it unusable is an overreaction.
If you are going to argue that we should revoke access for
non-superusers by default for dblink, then you are also arguing that we
should do the same for every function created with any untrusted language.
E.g. as I pointed out to Robert last week, just because an unsafe
function is created in plperlu, it doesn't mean that a non-superuser
can't run it immediately after it is created. There is no difference. It
is incumbent upon the DBA/superuser to be careful _whenever_ they create
any function using an untrusted language.
---------------------------(end of broadcast)---------------------------
TIP 1: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to [EMAIL PROTECTED] so that your
message can get through to the mailing list cleanly