Re: User Privileges using dblink - Mailing list pgsql-general

From Tom Lane
Subject Re: User Privileges using dblink
Date
Msg-id 17271.1087913128@sss.pgh.pa.us
Whole thread Raw
In response to User Privileges using dblink  ("Kreißl, Karsten" <KREISSL@his.de>)
List pgsql-general
=?iso-8859-1?Q?=22Krei=DFl=2C_Karsten=22?= <KREISSL@his.de> writes:
> The second problem with dblink is a security hole.

> create view myinst as select * from dblink('dbname=sva4_int1','select .... from inst') as (.......);

This is not a security hole in dblink, it is a security hole in your
pg_hba.conf setup.  Don't use trust authentication.

> This problem could also be resolved, if dblink uses the current login
> information.

That seems completely impractical.  In the first place, it's not a
reasonable default (there's no good reason to assume that the remote
DB has the same users as the local), and in the second place dblink
cannot get at the user's password.  (We *would* have a security hole
if it could.)

            regards, tom lane

pgsql-general by date:

Previous
From: Tatsuo Ishii
Date:
Subject: pgpool 2.0 is available
Next
From: Milos Prudek
Date:
Subject: insert with select as value