Re: User Privileges using dblink - Mailing list pgsql-general

From Kreißl, Karsten
Subject Re: User Privileges using dblink
Date
Msg-id E8AEFF3401E82E4699359F1EBBED6A2101F83BF7@exchange.his.de
Whole thread Raw
In response to User Privileges using dblink  ("Kreißl, Karsten" <KREISSL@his.de>)
Responses Re: User Privileges using dblink
Re: User Privileges using dblink
List pgsql-general
Hello Tom,

Ok, we have changed our authentication to password. Sorry, my mistake.

But, under this conditions we must specify username and password (without encryption!) in the view definition.
Every user can read this information using pgadmin or other tools. It's very simple !
In our environment the remote DB knows the same users as our local DB. So we are always searching for a solution,
withoutpublishing username and password. 
Our background is a migration from INFORMIX DB to PostgreSQL. Using INFORMIX there is a rather simple solution for this
problem,called Synonyms. 

Regards
    Karsten

-----Ursprüngliche Nachricht-----
Von: Tom Lane [mailto:tgl@sss.pgh.pa.us]
Gesendet: Dienstag, 22. Juni 2004 16:05
An: Kreißl, Karsten
Cc: pgsql-general@postgresql.org
Betreff: Re: [GENERAL] User Privileges using dblink


=?iso-8859-1?Q?=22Krei=DFl=2C_Karsten=22?= <KREISSL@his.de> writes:
> The second problem with dblink is a security hole.

> create view myinst as select * from dblink('dbname=sva4_int1','select .... from inst') as (.......);

This is not a security hole in dblink, it is a security hole in your
pg_hba.conf setup.  Don't use trust authentication.

> This problem could also be resolved, if dblink uses the current login
> information.

That seems completely impractical.  In the first place, it's not a
reasonable default (there's no good reason to assume that the remote
DB has the same users as the local), and in the second place dblink
cannot get at the user's password.  (We *would* have a security hole
if it could.)

            regards, tom lane

pgsql-general by date:

Previous
From: Tom Lane
Date:
Subject: Re: Do we need more emphasis on backup?
Next
From: Richard Huxton
Date:
Subject: Re: Point in time recovery