| From: | Joe Conway <mail(at)joeconway(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Magnus Hagander <magnus(at)hagander(dot)net>, Robert Treat <xzilla(at)users(dot)sourceforge(dot)net>, Gregory Stark <stark(at)enterprisedb(dot)com>, pgsql-patches <pgsql-patches(at)postgresql(dot)org> |
| Subject: | Re: dblink connection security |
| Date: | 2007-07-07 05:00:51 |
| Message-ID: | 468F1E03.4000600@joeconway.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-patches |
Tom Lane wrote:
>
> Here's a straw-man proposal that we could perhaps do for 8.3:
What about using the attached for 8.3, as well as earlier?
It simply does not allow the local database user to become someone else
on the libpq remote connection unless they are a superuser. As Tom
noted, a simple SECURITY DEFINER function created as a superuser could
allow backward compatible behavior.
CREATE OR REPLACE FUNCTION dblink_connect_u(connstr TEXT)
RETURNS TEXT AS $$
DECLARE passed TEXT;
BEGIN
SELECT dblink_connect(connstr) INTO passed;
RETURN passed;
END;
$$ LANGUAGE plpgsql SECURITY DEFINER;
contrib_regression=# \c - foo
You are now connected to database "contrib_regression" as user "foo".
contrib_regression=> select dblink_connect('dbname=contrib_regression');
ERROR: switching user not allowed
DETAIL: failed to connect local user "foo" as remote user "postgres"
HINT: only superuser may switch user name
contrib_regression=> select dblink_connect_u('dbname=contrib_regression');
dblink_connect_u
------------------
OK
(1 row)
Comments?
Thanks,
Joe
| Attachment | Content-Type | Size |
|---|---|---|
| user-restrict.01.diff | text/x-patch | 1.1 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2007-07-07 07:44:51 | Re: Compile error with MSVC |
| Previous Message | Alvaro Herrera | 2007-07-06 20:44:22 | Re: Still recommending daily vacuum... |