Re: [patch] fix dblink security hole

From: Joe Conway <mail(at)joeconway(dot)com>
To: Tommy Gildseth <tommy(dot)gildseth(at)usit(dot)uio(dot)no>
Cc: Postgres Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: [patch] fix dblink security hole
Date: 2008-09-22 22:42:13
Message-ID: 48D81F45.9020709@joeconway.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Tommy Gildseth wrote:
> Tom Lane wrote:
>> Okay. I just committed the patch without that change, but I'll go back
>> and add it.
>
> I'm not quite sure I fully understand the consequence of this change.
> Does it basically mean that it's not possible to use .pgpass with dblink
> for authentication?

It only applies to 8.4 (which is not yet released) and beyond.

dblink will still work as before for superusers.

> The alternative then would be to hardcode the password in your stored
> procedures, or store it in a separate table somehow?

Trusted non-superusers can be granted permission to use dblink_connect_u().

Joe

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Bruce Momjian 2008-09-23 01:51:16 Re: Proposed patch: make SQL interval-literal syntax work per spec
Previous Message Simon Riggs 2008-09-22 22:06:01 Re: [PATCHES] Infrastructure changes for recovery