dblink_connect_u(text connstr) returns text dblink_connect_u(text connname, text connstr) returns text
dblink_connect_u() is identical to
dblink_connect(), except that it will
allow non-superusers to connect using any authentication
method.
If the remote server selects an authentication method that does
not involve a password, then impersonation and subsequent
escalation of privileges can occur, because the session will appear
to have originated from the user as which the local PostgreSQL server runs. Also, even if the
remote server does demand a password, it is possible for the
password to be supplied from the server environment, such as a
~/.pgpass file belonging to the server's
user. This opens not only a risk of impersonation, but the
possibility of exposing a password to an untrustworthy remote
server. Therefore, dblink_connect_u()
is initially installed with all privileges revoked from PUBLIC, making it un-callable except by superusers.
In some situations it may be appropriate to grant EXECUTE permission for dblink_connect_u() to specific users who are
considered trustworthy, but this should be done with care. It is
also recommended that any ~/.pgpass file
belonging to the server's user not contain any records specifying a
wildcard host name.
For further details see dblink_connect().