Re: Bugtraq: Having Fun With PostgreSQL

Stephen Frost wrote:
> * Florian Pflug (fgp(dot)phlo(dot)org(at)gmail(dot)com) wrote:
>> Gregory Stark wrote:
>>> All that really has to happen is that dblink should by default not be
>>> callable
>>> by any user other than Postgres. DBAs should be required to manually run
>>> "GRANT EXECUTE ON dblink_connect(text) TO public;" if that's what he wants.
>> That serves the purpose of making PG "secure by default" (whatever that
>> means
>> exactly) well, and surely is a good short-term solution.
>> But it severely limits the usefulness of dblink on setup where PG uses
>> ident auth either via TCP or unix-sockets - there seems to be no way to
>> securely users use dblink in such a setup.
>
> Uh, have the admin create appropriate views.
I meant letting them use it to connect to abitrary databases and hosts, not
executing only predefined quries. My wording wasn't clear in that regard,
though.

>> Therefore I think there should be a ToDO
>> "Explore how dblink can be made safe if used together with ident
>> authentication"
>> or something similar.
>
> I disagree. What dblink *does* is insecure and in general *shouldn't*
> be something regular users can do. That goes well and beyond just the
> ident case, imv, but it's handy thing to point to atm.
I fail to see why dblink is any more insecure than, say, plpgsql or
plperl (not plperlu). It doesn't give any more priviliges than pgsql
would. The only exception IMHO are privileges that you get because
dblink issues that connection from a specific machine as a specific user.

What other security problems does dblink impose? Maybe I'm just being blind..

greetings, Florian Pflug