From: | Joe Conway <mail(at)joeconway(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Robert Treat <xzilla(at)users(dot)sourceforge(dot)net>, Gregory Stark <stark(at)enterprisedb(dot)com>, pgsql-patches <pgsql-patches(at)postgresql(dot)org> |
Subject: | Re: dblink connection security |
Date: | 2007-07-01 19:11:37 |
Message-ID: | 4687FC69.6070305@joeconway.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-patches |
Tom Lane wrote:
> Robert Treat <xzilla(at)users(dot)sourceforge(dot)net> writes:
>> Did you mean s/trust/ident/g, otherwise I don't think I understand the
>> above...
>
> Both trust and ident local auth are sources of risk for this, although
> ident is particularly nasty since the DBA probably thinks he's being
> secure.
>
> For that matter, I'm not sure that *any* auth method except password
> offers much security against the problem; don't LDAP and Kerberos
> likewise rely mostly on process-level identity? And possibly PAM
> depending on which PAM plugin you're using?
OK, so following that line of thought, how about:
As a security precaution, dblink revokes access from PUBLIC role
usage for the dblink_connect functions. It is not safe to allow
ordinary users to execute dblink from a database in a PostgreSQL
installation that allows account access using any authentication
method which does not require a password. In that case, ordinary
users could gain access to other accounts via dblink as if they
had the privileges of the database superuser.
If the allowed authentication methods require a password, this is no
longer an issue.
> I'm not sure whether this is something to back-patch, though, since
> a back-patch will accomplish zero for existing installations.
OK. But it might still be worth doing, along with something in the
release notes.
Joe
From | Date | Subject | |
---|---|---|---|
Next Message | Joe Conway | 2007-07-01 19:15:22 | Re: dblink connection security |
Previous Message | Magnus Hagander | 2007-07-01 19:10:25 | Re: dblink connection security |