| From: | Tommy Gildseth <tommy(dot)gildseth(at)usit(dot)uio(dot)no> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: DBLink's default user: postgres |
| Date: | 2007-10-17 14:11:27 |
| Message-ID: | 4716180F.40600@usit.uio.no |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Rodrigo Hjort wrote:
> Is this the regular behavior on DBLink?
>
> rot=> SELECT user, current_database();
> current_user | current_database
> --------------+------------------
> sa_rot | rot
> (1 registro)
>
> rot=> SELECT *
> rot-> FROM dblink('dbname=escola',
> rot(> 'SELECT user, current_database()')
> rot-> AS (usr name, db name);
> usr | db
> ----------+--------
> postgres | escola
> (1 registro)
>
> This way, I fear DBLink functions should become a vulnerability issue
> on my database.
> Is there any way to protect or override this setting? Or it should be
> done on pg_hba.conf only?
This issue has been thoroughly discussed before. You can read more about
it in f.ex these threads:
http://archives.postgresql.org/pgsql-hackers/2007-06/msg00678.php
http://archives.postgresql.org/pgsql-patches/2007-07/msg00000.php
--
Tommy Gildseth
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2007-10-17 14:46:34 | Re: rolcanlogin vs. the flat password file |
| Previous Message | Heikki Linnakangas | 2007-10-17 14:07:46 | Re: Why copy_relation_data only use wal when WALarchiving is enabled |