Re: dblink connection security

"Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us> writes:

> Gregory Stark <stark(at)enterprisedb(dot)com> writes:
>> My objection is that I think we should still revoke access for non-superuser
>> by default. The patch makes granting execute reasonable for most users but
>> nonetheless it shouldn't be the default.
>
>> Being able to connect to a postgres server shouldn't mean being able to open
>> tcp connections *from* that server to arbitrary other host/ports.
>
> You forget that dblink isn't even installed by default. I could see
> having some more verbiage in the documentation explaining these possible
> security risks, but making it unusable is an overreaction.

It's not like granting execute privilege is a particularly complex or obscure
command. It's a better policy that packages be designed so that merely
installing them doesn't have direct security implications. That way sysadmins
can install a wide range of packages to satisfy user demand and count on
security infrastructure to control security.

Consider a scenario like "package <x> uses dblink". Sysadmin follows
instructions for package <x> and installs dblink. Now package <x>'s
documentation isn't going to explain the second-order effects and discuss
restricting who has access to dblink. The sysadmin has no particular interest
in using dblink himself and probably will never read any dblink docs.

On the other hand if dblink can't be executed by random users then when
package x tells you to install dblink it will also tell you to grant access to
the user that package runs as. The sysadmin can consider which users that
should be.

--
Gregory Stark
EnterpriseDB http://www.enterprisedb.com