| From: | Joe Conway <mail(at)joeconway(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Marko Kreen <markokr(at)gmail(dot)com>, Postgres Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [patch] fix dblink security hole |
| Date: | 2008-09-22 04:21:35 |
| Message-ID: | 48D71D4F.2090202@joeconway.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Tom Lane wrote:
>
> What do you think about getting rid of the password_from_string state
> variable? It was always a bit of a kluge, and we don't seem to need
> it anymore with this approach.
It is still used in PQconnectionUsedPassword(). That is still needed to
prevent a non-superuser from logging in as the superuser if the server
does not require authentication. In that case, any bogus password could
be added to the connection string and be subsequently ignored, if not
for this check.
e.g. with a default pg_hba.conf
8<-------------------------------------
psql contrib_regression -U luser
psql (8.4devel)
Type "help" for help.
contrib_regression=> SELECT dblink_connect('password=luser
dbname=contrib_regression');
ERROR: password is required
DETAIL: Non-superuser cannot connect if the server does not request a
password.
HINT: Target server's authentication method must be changed.
8<-------------------------------------
Without PQconnectionUsedPassword() that would have succeeded in logging
in as the superuser, because the password is never actually checked.
Joe
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David Fetter | 2008-09-22 05:32:35 | Re: pg_dump feature |
| Previous Message | Tom Lane | 2008-09-22 03:47:15 | Re: [patch] fix dblink security hole |