Re: dblink connection security

* Joe Conway (mail(at)joeconway(dot)com) wrote:
> Stephen Frost wrote:
>> I see.. So all the functions in untrusted languages that come with PG
>> initially should be checked over by every sysadmin when installing PG
>> every time... And the same for PostGIS, and all of the PL's that use
>> untrusted languages?
>
> There are none installed by default -- that's the point.

Uhh... None what? Functions in untrusted languages? That's certainly
not the case, there's a whole slew of them, from boolin to
generate_series and beyond. They're available to regular users, even!

Or do you mean that there are no known-insecure functions which are
installed and enabled for users to use by default? I'd have to agree
with you there in general, would kind of like to keep it that way too.

Perhaps you're referring to PLs, but then, I thought trusted PLs were
safe, but they're written using untrusted languages! Are they safe, or
not? Safe to use, but not safe to install?

>> On my pretty modest install that's 2,206 functions. For some reason I
>> see something of a difference between 'generate_series' and 'dblink' in
>> terms of security and which one I'm comfortable having enabled by
>> default and which one I'm not.
>
> generate_series is a built in function. We aren't discussing those.

Uh, it's written in an untrusted language, isn't it? Us poor sysadmins
are supposed to review all of them before letting users have access to
them, aren't we? Now I'm just completely confused as to the distinction
you're making here. Are functions in untrusted languages are problem,
or not?

Thanks,

Stephen