Re: dblink connection security

Tom Lane wrote:
> Robert Treat <xzilla@users.sourceforge.net> writes:
>> Did you mean s/trust/ident/g, otherwise I don't think I understand the
>> above...
>
> Both trust and ident local auth are sources of risk for this, although
> ident is particularly nasty since the DBA probably thinks he's being
> secure.
>
> For that matter, I'm not sure that *any* auth method except password
> offers much security against the problem; don't LDAP and Kerberos
> likewise rely mostly on process-level identity?  And possibly PAM
> depending on which PAM plugin you're using?

OK, so following that line of thought, how about:

     As a security precaution, dblink revokes access from PUBLIC role
     usage for the dblink_connect functions. It is not safe to allow
     ordinary users to execute dblink from a database in a PostgreSQL
     installation that allows account access using any authentication
     method which does not require a password. In that case, ordinary
     users could gain access to other accounts via dblink as if they
     had the privileges of the database superuser.

     If the allowed authentication methods require a password, this is no
     longer an issue.

> I'm not sure whether this is something to back-patch, though, since
> a back-patch will accomplish zero for existing installations.

OK. But it might still be worth doing, along with something in the
release notes.

Joe