| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Gregory Stark <stark(at)enterprisedb(dot)com> |
| Cc: | Joe Conway <mail(at)joeconway(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Magnus Hagander <magnus(at)hagander(dot)net>, Robert Treat <xzilla(at)users(dot)sourceforge(dot)net>, pgsql-patches <pgsql-patches(at)postgresql(dot)org> |
| Subject: | Re: dblink connection security |
| Date: | 2007-07-09 02:13:53 |
| Message-ID: | 20070709021353.GP4887@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-patches |
* Gregory Stark (stark(at)enterprisedb(dot)com) wrote:
> "Joe Conway" <mail(at)joeconway(dot)com> writes:
> > If there are no objections I'll commit this later today.
>
> My objection is that I think we should still revoke access for non-superuser
> by default. The patch makes granting execute reasonable for most users but
> nonetheless it shouldn't be the default.
>
> Being able to connect to a postgres server shouldn't mean being able to open
> tcp connections *from* that server to arbitrary other host/ports. Consider for
> example that it would allow a user to perform a port scan from inside your
> network to see what internal services are running.
I'm in agreement with Greg. It's a poor idea, overall, to allow users
to initiate TCP connections from the backend. That should be a
superuser-only ability and should require security definer functions
with appropriate safe-guards (which would be site-specific) to be
created by the end admins.
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2007-07-09 02:39:11 | Re: dblink connection security |
| Previous Message | Alvaro Herrera | 2007-07-08 23:16:53 | Re: Compile error with MSVC |