Re: [patch] plproxy v2 - Mailing list pgsql-hackers

From Hannu Krosing
Subject Re: [patch] plproxy v2
Date
Msg-id 1216915260.7001.53.camel@huvostro
Whole thread Raw
In response to Re: [patch] plproxy v2  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
On Tue, 2008-07-22 at 11:25 -0400, Tom Lane wrote:
> "Marko Kreen" <markokr@gmail.com> writes:
> > And user can execute only pre-determines queries/functions on system2.
> 
> If that were actually the case then the security issue wouldn't loom
> quite so large, but the dynamic_query example in the plproxy regression
> tests provides a perfect example of how to ruin your security.

The idea is to allow the pl/proxy user only access to the needed
functions and nothing else on the remote db side.

dynamic_query ruins your security, if your pl/proxy remote user has too
much privileges.

> > Do you still see a big hole?
> 
> Truck-sized, at least.
> 
> The complaint here is not that it's impossible to use plproxy securely;
> the complaint is that it's so very easy to use it insecurely.

You mean "easy" like it is very easy to always use your OS as root ?

On Unix this is fixed by stating it as a bad idea in docs (and numerous
books), on windows you have a "privileged" checkbox when creating new
users.

---------------
Hannu




pgsql-hackers by date:

Previous
From: Teodor Sigaev
Date:
Subject: Re: [PATCHES] GIN improvements
Next
From: "Joshua D. Drake"
Date:
Subject: Re: Do we really want to migrate plproxy and citext into PG core distribution?