From: | Joe Conway <mail(at)joeconway(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Magnus Hagander <magnus(at)hagander(dot)net>, Robert Treat <xzilla(at)users(dot)sourceforge(dot)net>, Gregory Stark <stark(at)enterprisedb(dot)com>, pgsql-patches <pgsql-patches(at)postgresql(dot)org> |
Subject: | Re: dblink connection security |
Date: | 2007-07-07 16:24:50 |
Message-ID: | 468FBE52.2010005@joeconway.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-patches |
Tom Lane wrote:
> Joe Conway <mail(at)joeconway(dot)com> writes:
>> What about using the attached for 8.3, as well as earlier?
>
>> It simply does not allow the local database user to become someone else
>> on the libpq remote connection unless they are a superuser.
>
> This assumes that usernames on the remote site are equivalent to those
> locally. Which is helpful for the sort of local-loop scenarios we've
> been thinking about, but is hardly watertight even then (consider
> multiple postmasters on one machine). For remote connections it seems
> counterproductive; you might as well say "you must be superuser" and
> keep it simple.
I see your point. OK, I'm back to implementing your proposal...
One question: should we provide the SECURITY DEFINER functions with
revoked privileges or just mention that in the docs? I was thinking
something along the lines of the following even for the backpatched version:
CREATE OR REPLACE FUNCTION dblink_connect_u (text)
RETURNS text
AS 'MODULE_PATHNAME','dblink_connect'
LANGUAGE C STRICT SECURITY DEFINER;
CREATE OR REPLACE FUNCTION dblink_connect_u (text, text)
RETURNS text
AS 'MODULE_PATHNAME','dblink_connect'
LANGUAGE C STRICT SECURITY DEFINER;
REVOKE execute ON FUNCTION dblink_connect_u (text) FROM public;
REVOKE execute ON FUNCTION dblink_connect_u (text, text) FROM public;
Joe
From | Date | Subject | |
---|---|---|---|
Next Message | Zdenek Kotala | 2007-07-07 17:12:32 | Re: script binaries renaming |
Previous Message | Tom Lane | 2007-07-07 15:19:03 | Re: dblink connection security |