"Joe Conway" <[EMAIL PROTECTED]> writes: > Stephen Frost wrote: >> * Joe Conway ([EMAIL PROTECTED]) wrote: >>> There are none installed by default -- that's the point. >> >> Uhh... None what? Functions in untrusted languages? That's certainly >> not the case, there's a whole slew of them, from boolin to >> generate_series and beyond. They're available to regular users, even! > > Get serious. Internal functions are specifically designed and maintained to be > safe within the confines of the database security model. We are discussing > extensions to the core, all of which must be installed by choice, by a > superuser.
That doesn't mean they shouldn't be concerned with security. Consider dblink as an entirely separate product which depends on Postgres the way Postgres depends on the OS. We discussing how the dblink software should behave when installed with *its* default configuration. When *Postgres is installed on Unix* it modifies the Unix security model allowing internet users to connect and execute SQL queries. But it is configured to be "secure by default" by requiring explicit authorization for users who should be allowed to connect. Merely installing *Postgres on Unix* doesn't allow arbitrary internet users to use your machine to store data. Likewise when *dblink is installed on Postgres* it modifies the Postgres security model to allow exterior users to create tcp connections originating from your host. This is something Postgres and indeed Unix in general forbid. It should be configured so that when *dblink* is installed it is configured to be "secure by default" by requiring explicit authorization for users who should be allowed to form connections. Merely installing *dblink on Postgres* shouldn't allow arbitrary Postgres users to use your machine to launch attacks. -- Gregory Stark EnterpriseDB http://www.enterprisedb.com ---------------------------(end of broadcast)--------------------------- TIP 1: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
