Re: Bugtraq: Having Fun With PostgreSQL

* Florian Pflug (fgp(dot)phlo(dot)org(at)gmail(dot)com) wrote:
> Gregory Stark wrote:
> >All that really has to happen is that dblink should by default not be
> >callable
> >by any user other than Postgres. DBAs should be required to manually run
> >"GRANT EXECUTE ON dblink_connect(text) TO public;" if that's what he wants.
>
> That serves the purpose of making PG "secure by default" (whatever that
> means
> exactly) well, and surely is a good short-term solution.
> But it severely limits the usefulness of dblink on setup where PG uses
> ident auth either via TCP or unix-sockets - there seems to be no way to
> securely users use dblink in such a setup.

Uh, have the admin create appropriate views.

> Therefore I think there should be a ToDO
> "Explore how dblink can be made safe if used together with ident
> authentication"
> or something similar.

I disagree. What dblink *does* is insecure and in general *shouldn't*
be something regular users can do. That goes well and beyond just the
ident case, imv, but it's handy thing to point to atm.

> The ideal solution would IMHO be to authenticate a user using dblink as
> the user he used to connect to PG in the first place - but since ident is
> handled outside of PG that might be impossible to archive without some
> really bad hacks. So maybe just finding a way to disable ident auth for
> connections made via dblink is sufficient.

erm, this isn't dblink anymore, this is cross-database stuff that should
be done completely differently from dblink, if it's going to be done at
all.

Thanks,

Stephen