On Tue, 2008-07-22 at 11:25 -0400, Tom Lane wrote:
> "Marko Kreen" <markokr@gmail.com> writes:
> > And user can execute only pre-determines queries/functions on system2.
>
> If that were actually the case then the security issue wouldn't loom
> quite so large, but the dynamic_query example in the plproxy regression
> tests provides a perfect example of how to ruin your security.
The idea is to allow the pl/proxy user only access to the needed
functions and nothing else on the remote db side.
dynamic_query ruins your security, if your pl/proxy remote user has too
much privileges.
> > Do you still see a big hole?
>
> Truck-sized, at least.
>
> The complaint here is not that it's impossible to use plproxy securely;
> the complaint is that it's so very easy to use it insecurely.
You mean "easy" like it is very easy to always use your OS as root ?
On Unix this is fixed by stating it as a bad idea in docs (and numerous
books), on windows you have a "privileged" checkbox when creating new
users.
---------------
Hannu
