| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Marko Kreen" <markokr(at)gmail(dot)com> |
| Cc: | "Postgres Hackers" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [patch] plproxy v2 |
| Date: | 2008-07-21 20:07:34 |
| Message-ID: | 17081.1216670854@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
"Marko Kreen" <markokr(at)gmail(dot)com> writes:
> [ plproxy ]
I looked through this a bit, and my principal reaction was "what are
the security implications?" It seems like it'd be very easy to create
functions that allow untrusted users to execute arbitrary SQL on
other databases in the plproxy cluster. As far as I saw there was
no privilege-checking within plproxy itself, you were just relying
on SQL-level permissions checking --- so even though plproxy functions
can only be *created* by superusers, by default they can be *used* by
anybody. So it'd take a great deal of care to avoid making
unintentional security holes.
I'm not sure about a good solution to this problem, but I think it needs
to be solved before plproxy can be recommended for widespread use.
The first thought that comes to mind is to somehow propagate the userid
on the calling server to the execution on the remote, so that a user
can't get more privilege on the remote than if he were executing there
directly. I'm imagining that the definition of a cluster would include
a map from local to remote userids (and thereby imply that anyone not
explicitly listed can't do remote access at all).
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Simon Riggs | 2008-07-21 20:08:11 | Re: [HACKERS] Hint Bits and Write I/O |
| Previous Message | Andrew Sullivan | 2008-07-21 19:59:02 | Re: Load spikes on 8.1.11 |