Re: dblink connection security - Mailing list pgsql-patches

From Tom Lane
Subject Re: dblink connection security
Date
Msg-id 16184.1183316735@sss.pgh.pa.us
Whole thread Raw
In response to Re: dblink connection security  (Stephen Frost <sfrost@snowman.net>)
Responses Re: dblink connection security
Re: dblink connection security
List pgsql-patches
Stephen Frost <sfrost@snowman.net> writes:
> * Magnus Hagander (magnus@hagander.net) wrote:
>> Kerberos is not affected either, because the server does not get a copy
>> of the ticket. In theory it could be affected if the server requested a
>> delegation enabled ticket, and exported it so it could be used, but none
>> of these are done.

> That's quite a stretch even there, imv anyway...  It'd have to be put
> somewhere a backend connecting would think to look for it, given that
> the user can't change the environment variables and whatnot (I don't
> think) of the backend process...

Hmm.  I think what you are both saying is that if the remote end wants
Kerberos auth then you would expect a dblink connection to always fail.
If so, then we still seem to be down to the conclusion that there
are only three kinds of dblink connection:
    * those that require a password;
    * those that don't work;
    * those that are insecure.

Would it be sensible to change dblink so that unless invoked by a
superuser, it fails any connection attempt in which no password is
demanded?  I am not sure that this is possible without changes to libpq;
but ignoring implementation difficulties, is this a sane idea from
the standpoint of security and usability?

            regards, tom lane

pgsql-patches by date:

Previous
From: Stephen Frost
Date:
Subject: Re: dblink connection security
Next
From: Magnus Hagander
Date:
Subject: Re: dblink connection security