From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Joe Conway <mail(at)joeconway(dot)com> |
Cc: | Gregory Stark <stark(at)enterprisedb(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Robert Treat <xzilla(at)users(dot)sourceforge(dot)net>, pgsql-patches <pgsql-patches(at)postgresql(dot)org> |
Subject: | Re: dblink connection security |
Date: | 2007-07-09 16:29:47 |
Message-ID: | 23070.1183998587@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-patches |
Joe Conway <mail(at)joeconway(dot)com> writes:
> But if you know of a security risk related to using libpq
> with a password authenticated connection, let's hear it.
As near as I can tell, the argument is that dblink might be used to send
connection-request packets to random addresses. Now this is only a
security issue if the attacker could not have reached such an address
directly; otherwise he might as well send the packet himself (and have a
lot more control over its content). So I guess the scenario is that
you're running your database on your firewall machine, where it is
accessible from outside your net but also can reach addresses inside.
And you're letting untrustworthy outside people log into the database.
And you put dblink on it for them to use. And even then, the amount of
damage they could do seems pretty limited due to lack of control over
the packet contents.
To me this scenario is too far-fetched to justify sacrificing
convenience and backwards compatibility. It should be sufficient to add
some paragraphs about security considerations to the dblink docs.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Gregory Stark | 2007-07-09 17:13:54 | Re: dblink connection security |
Previous Message | Joe Conway | 2007-07-09 16:00:21 | Re: dblink connection security |