Quick Links

Re: [patch] fix dblink security hole

From:	Joe Conway <mail(at)joeconway(dot)com>
To:	Tommy Gildseth <tommy(dot)gildseth(at)usit(dot)uio(dot)no>
Cc:	Postgres Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject:	Re: [patch] fix dblink security hole
Date:	2008-09-22 22:42:13
Message-ID:	48D81F45.9020709@joeconway.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

Tommy Gildseth wrote:
> Tom Lane wrote:
>> Okay. I just committed the patch without that change, but I'll go back
>> and add it.
>
> I'm not quite sure I fully understand the consequence of this change.
> Does it basically mean that it's not possible to use .pgpass with dblink
> for authentication?

It only applies to 8.4 (which is not yet released) and beyond.

dblink will still work as before for superusers.

> The alternative then would be to hardcode the password in your stored
> procedures, or store it in a separate table somehow?

Trusted non-superusers can be granted permission to use dblink_connect_u().

Joe

In response to

Re: [patch] fix dblink security hole at 2008-09-22 20:58:19 from Tommy Gildseth

Responses

Re: [patch] fix dblink security hole at 2008-09-23 03:28:46 from Tom Lane

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Bruce Momjian	2008-09-23 01:51:16	Re: Proposed patch: make SQL interval-literal syntax work per spec
Previous Message	Simon Riggs	2008-09-22 22:06:01	Re: [PATCHES] Infrastructure changes for recovery