Re: [patch] fix dblink security hole

On 9/21/08, Joe Conway <mail@joeconway.com> wrote:
> Marko Kreen wrote:
> > You need to ignore pg_service also.  (And PGPASSWORD)
>
>  Why? pg_service does not appear to support wildcards, so what is the attack
> vector?

"service=foo host=custom"

>  And on PGPASSWORD, the fine manual says the following:
>
>   PGPASSWORD sets the password used if the server demands password
>   authentication. Use of this environment variable is not recommended
>   for security reasons (some operating systems allow non-root users to
>   see process environment variables via ps); instead consider using the
>   ~/.pgpass file (see Section 30.13).

That does not mean it's OK to handle it insecurely.

If you want to solve the immediate problem with hack, then the cleanest
hack would be "no-external-sources-for-connection-details"-hack.

Leaving the less probable paths open is just sloppy attitude.

>  At the moment the only real issue I can see is .pgpass when wildcards are
> used for hostname:port:database.

Well, the real issue is that lusers are allowed to freely launch
connections, that's the source for all the other problems.

-- 
marko