Re: [patch] fix dblink security hole

From: Tommy Gildseth <tommy(dot)gildseth(at)usit(dot)uio(dot)no>
To: Postgres Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: [patch] fix dblink security hole
Date: 2008-09-22 20:58:19
Message-ID: 48D806EB.4090001@usit.uio.no
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Tom Lane wrote:
> Joe Conway <mail(at)joeconway(dot)com> writes:
>> Tom Lane wrote:
>>> No, the test to see if the server actually *asked* for the password is
>>> the important part at that end.
>
>> Oh, I see that now. So yes, as far as I can tell, password_from_string
>> is not used for anything anymore and should be removed.
>
> Okay. I just committed the patch without that change, but I'll go back
> and add it.

I'm not quite sure I fully understand the consequence of this change.
Does it basically mean that it's not possible to use .pgpass with dblink
for authentication?
The alternative then would be to hardcode the password in your stored
procedures, or store it in a separate table somehow?

--
Tommy Gildseth

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Simon Riggs 2008-09-22 22:04:43 Re: get_relation_stats_hook()
Previous Message Ron Mayer 2008-09-22 20:49:37 Re: Initial prefetch performance testing