Re: dblink connection security

Tom Lane wrote:
> Robert Treat <xzilla(at)users(dot)sourceforge(dot)net> writes:
>> Did you mean s/trust/ident/g, otherwise I don't think I understand the
>> above...
>
> Both trust and ident local auth are sources of risk for this, although
> ident is particularly nasty since the DBA probably thinks he's being
> secure.
>
> For that matter, I'm not sure that *any* auth method except password
> offers much security against the problem; don't LDAP and Kerberos
> likewise rely mostly on process-level identity? And possibly PAM
> depending on which PAM plugin you're using?

OK, so following that line of thought, how about:

As a security precaution, dblink revokes access from PUBLIC role
usage for the dblink_connect functions. It is not safe to allow
ordinary users to execute dblink from a database in a PostgreSQL
installation that allows account access using any authentication
method which does not require a password. In that case, ordinary
users could gain access to other accounts via dblink as if they
had the privileges of the database superuser.

If the allowed authentication methods require a password, this is no
longer an issue.

> I'm not sure whether this is something to back-patch, though, since
> a back-patch will accomplish zero for existing installations.

OK. But it might still be worth doing, along with something in the
release notes.

Joe