| From: | Joe Conway <mail(at)joeconway(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Gregory Stark <stark(at)enterprisedb(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Magnus Hagander <magnus(at)hagander(dot)net>, Robert Treat <xzilla(at)users(dot)sourceforge(dot)net>, pgsql-patches <pgsql-patches(at)postgresql(dot)org> |
| Subject: | Re: dblink connection security |
| Date: | 2007-07-09 03:42:50 |
| Message-ID: | 4691AEBA.9080206@joeconway.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-patches |
Tom Lane wrote:
> Gregory Stark <stark(at)enterprisedb(dot)com> writes:
>> My objection is that I think we should still revoke access for non-superuser
>> by default. The patch makes granting execute reasonable for most users but
>> nonetheless it shouldn't be the default.
>
>> Being able to connect to a postgres server shouldn't mean being able to open
>> tcp connections *from* that server to arbitrary other host/ports.
>
> You forget that dblink isn't even installed by default. I could see
> having some more verbiage in the documentation explaining these possible
> security risks, but making it unusable is an overreaction.
>
Agreed.
If you are going to argue that we should revoke access for
non-superusers by default for dblink, then you are also arguing that we
should do the same for every function created with any untrusted language.
E.g. as I pointed out to Robert last week, just because an unsafe
function is created in plperlu, it doesn't mean that a non-superuser
can't run it immediately after it is created. There is no difference. It
is incumbent upon the DBA/superuser to be careful _whenever_ they create
any function using an untrusted language.
Joe
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Gregory Stark | 2007-07-09 03:45:56 | Re: dblink connection security |
| Previous Message | Tom Lane | 2007-07-09 03:27:16 | Re: dblink connection security |