* Tom Lane ([EMAIL PROTECTED]) wrote:
> Joe Conway <[EMAIL PROTECTED]> writes:
> > But if you know of a security risk related to using libpq 
> > with a password authenticated connection, let's hear it.
> As near as I can tell, the argument is that dblink might be used to send
> connection-request packets to random addresses.  Now this is only a


> security issue if the attacker could not have reached such an address
> directly; otherwise he might as well send the packet himself (and have a

No.  Being able to come from a different address is valuable even if you
can get to that address directly yourself.

> lot more control over its content).  So I guess the scenario is that
> you're running your database on your firewall machine, where it is
> accessible from outside your net but also can reach addresses inside.

It wouldn't need to be "on your firewall", just behind it, which is
extremely common.

> And you're letting untrustworthy outside people log into the database.

It's not nearly so convoluted.  SQL injections happen.  

> And you put dblink on it for them to use.  And even then, the amount of
> damage they could do seems pretty limited due to lack of control over
> the packet contents.

dblink could have been installed for a variety of reasons.  Making it
openly available on install makes it much less likely any additional
restrictions were placed on it.

> To me this scenario is too far-fetched to justify sacrificing
> convenience and backwards compatibility.  It should be sufficient to add
> some paragraphs about security considerations to the dblink docs.

I feel that requiring a sysadmin to issue a 'grant' if they want
that convenience is justified and reasonable.  We could include the
statement itself in the documentation we're expecting them to read
anyway so they can just copy & paste it.  Adding paragraphs to the
documentation is good but doesn't justify a insecure-by-default

Regardless of what core ends up doing, I'm hopeful it'll be disabled by
default under Debian.  It'd certainly be easier if it was done upstream.



Attachment: signature.asc
Description: Digital signature

Reply via email to