Skip site navigation (1) Skip section navigation (2)

[patch] fix dblink security hole

From: "Marko Kreen" <markokr(at)gmail(dot)com>
To: "Postgres Hackers" <pgsql-hackers(at)postgresql(dot)org>, "Joe Conway" <mail(at)joeconway(dot)com>
Subject: [patch] fix dblink security hole
Date: 2008-08-07 13:53:49
Message-ID: e51f66da0808070653y3d3d065am5dfa258a6273b849@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-hackers
Currently dblink allows regular users to initiate libpq connection
to user-provided connection string.  This breaks the default
policy that normal users should not be allowed to freely interact
with outside environment.

In addition to breaking standard security policy, dblink exposes
.pgpass/pg_service.conf contents of the OS user database is running
under to the non-privileged database user.  (Esp. passwords)

The were already couple of hacks added to libpq and dblink that
disallow the re-use of passwords acquired from .pgpass/pg_service.
The hacks make sure the password is used for login and it came
from connection string.

But they take effect *after* login is finished, thus leaving open
even nastier hole - user can *look* at the passwords by simply
directing the connection to host where is a Postgres-emulator
installed that requests plaintext authentication.

Attached patch fixes the problems by allowing only superusers
to specify connection strings.

Instead of playing with permissions, it hardwires the check to
C code for following reasons:
- encouraging use of SECURITY DEFINER functions to choose
  the connection string so they are always under control of admin
- discouraging solutions where normal user can freely pick
  connection string
- making dblink security similar to other remote-access solutions
  which do not let regular user pick connection string (plproxy / dbi-link)

I understand some of current users may dislike the patch as currently
dblink does not give any support for running it securely.

I've outlined possible future API direction here:

  http://archives.postgresql.org/pgsql-hackers/2008-07/msg01302.php

Mainly this involves creating superuser-controlled name->connstr lookup
mechanism.  Either specific to dblink or possibly built into core,
so other remote-access solutions can use it also.

-- 
marko

Attachment: dblink.fix.diff
Description: text/x-diff (999 bytes)

Responses

pgsql-hackers by date

Next:From: Simon RiggsDate: 2008-08-07 13:59:47
Subject: Re: For what should pg_stop_backup wait?
Previous:From: Simon RiggsDate: 2008-08-07 13:42:41
Subject: Re: Visibility Groups

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group