"Tom Lane" <[EMAIL PROTECTED]> writes: > Gregory Stark <[EMAIL PROTECTED]> writes: >> My objection is that I think we should still revoke access for non-superuser >> by default. The patch makes granting execute reasonable for most users but >> nonetheless it shouldn't be the default. > >> Being able to connect to a postgres server shouldn't mean being able to open >> tcp connections *from* that server to arbitrary other host/ports. > > You forget that dblink isn't even installed by default. I could see > having some more verbiage in the documentation explaining these possible > security risks, but making it unusable is an overreaction.
It's not like granting execute privilege is a particularly complex or obscure command. It's a better policy that packages be designed so that merely installing them doesn't have direct security implications. That way sysadmins can install a wide range of packages to satisfy user demand and count on security infrastructure to control security. Consider a scenario like "package <x> uses dblink". Sysadmin follows instructions for package <x> and installs dblink. Now package <x>'s documentation isn't going to explain the second-order effects and discuss restricting who has access to dblink. The sysadmin has no particular interest in using dblink himself and probably will never read any dblink docs. On the other hand if dblink can't be executed by random users then when package x tells you to install dblink it will also tell you to grant access to the user that package runs as. The sysadmin can consider which users that should be. -- Gregory Stark EnterpriseDB http://www.enterprisedb.com ---------------------------(end of broadcast)--------------------------- TIP 4: Have you searched our list archives? http://archives.postgresql.org