| From: | Hannu Krosing <hannu(at)krosing(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Marko Kreen <markokr(at)gmail(dot)com>, Andrew Sullivan <ajs(at)commandprompt(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: [patch] plproxy v2 |
| Date: | 2008-07-24 16:01:00 |
| Message-ID: | 1216915260.7001.53.camel@huvostro |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, 2008-07-22 at 11:25 -0400, Tom Lane wrote:
> "Marko Kreen" <markokr(at)gmail(dot)com> writes:
> > And user can execute only pre-determines queries/functions on system2.
>
> If that were actually the case then the security issue wouldn't loom
> quite so large, but the dynamic_query example in the plproxy regression
> tests provides a perfect example of how to ruin your security.
The idea is to allow the pl/proxy user only access to the needed
functions and nothing else on the remote db side.
dynamic_query ruins your security, if your pl/proxy remote user has too
much privileges.
> > Do you still see a big hole?
>
> Truck-sized, at least.
>
> The complaint here is not that it's impossible to use plproxy securely;
> the complaint is that it's so very easy to use it insecurely.
You mean "easy" like it is very easy to always use your OS as root ?
On Unix this is fixed by stating it as a bad idea in docs (and numerous
books), on windows you have a "privileged" checkbox when creating new
users.
---------------
Hannu
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Joshua D. Drake | 2008-07-24 16:06:16 | Re: Do we really want to migrate plproxy and citext into PG core distribution? |
| Previous Message | Teodor Sigaev | 2008-07-24 15:53:56 | Re: [PATCHES] GIN improvements |