Re: dblink connection security

* Gregory Stark (stark@enterprisedb.com) wrote:
> "Joe Conway" <mail@joeconway.com> writes:
> > If there are no objections I'll commit this later today.
>
> My objection is that I think we should still revoke access for non-superuser
> by default. The patch makes granting execute reasonable for most users but
> nonetheless it shouldn't be the default.
>
> Being able to connect to a postgres server shouldn't mean being able to open
> tcp connections *from* that server to arbitrary other host/ports. Consider for
> example that it would allow a user to perform a port scan from inside your
> network to see what internal services are running.

I'm in agreement with Greg.  It's a poor idea, overall, to allow users
to initiate TCP connections from the backend.  That should be a
superuser-only ability and should require security definer functions
with appropriate safe-guards (which would be site-specific) to be
created by the end admins.

    Thanks,

        Stephen