Thread: User Privileges using dblink

User Privileges using dblink

From
"Kreißl, Karsten"
Date:
Hello,

we want use dblink to connect several databases in a client/server environment. Connection from local users to the
remotedatabases should be possible only for privileged users. We tried a solution with dblink, embedding this command
ina view, like this: 

create view inst as select * from dblink('host=pollux port=5432 dbname=cob_int user=his_int password=#integration#',
.....

This solution is insecure, because login and password is readable for everyone.

We tried to call dblink without username and login, but it fails,i.e.
create view inst as select * from dblink('host=pollux port=5432 dbname=cob_int', .....

What we are searching for, is a solution which uses the current login information (user and password).


The second problem with dblink is a security hole. If you have a table without any grants for the current user, this
usercan create a view to circumvent the table privileges, i.e.. 

Current user is svawork (not a superuser!). Current database is sva4_int1. Table inst has privileges only for a user
sva.If user svawork tried to read from inst it fails. This is ok.  
If svawork create a view like:

create view myinst as select * from dblink('dbname=sva4_int1','select .... from inst') as (.......);

The view connect not to a remote database. It uses the local database.
You can read the data from table inst without any restrictions! (Select * from myinst ...)
This problem could also be resolved, if dblink uses the current login information.

Any solutions welcome.

Karsten





Re: User Privileges using dblink

From
"Darko Prenosil"
Date:
Write a function that returns connection parameters (instead of hardcoding
it into view) using CURENT_USER as parameter.

create view inst as select * from dblink(
get_connection_param(CURRENT_USER) )

where get_connection_param is Your function returning text. Using system
user name is not problem at all, but password is.
You can read encrypted password from pg_shadow but only if You are a
superuser, otherwise it is another security hole...

However this is not a dblink problem, and can be summarized as:   How can I know my own password ?

I think that even server does not know Your password, it only knows
encrypted presentation (someone else could know this better).

Regards !


----- Original Message -----
From: "Kreißl, Karsten" <KREISSL@his.de>
To: <pgsql-hackers@postgresql.org>
Sent: Tuesday, June 22, 2004 11:50 AM
Subject: [HACKERS] User Privileges using dblink


Hello,

we want use dblink to connect several databases in a client/server
environment. Connection from local users to the remote databases should be
possible only for privileged users. We tried a solution with dblink,
embedding this command in a view, like this:

create view inst as select * from dblink('host=pollux port=5432
dbname=cob_int user=his_int password=#integration#', .....

This solution is insecure, because login and password is readable for
everyone.

We tried to call dblink without username and login, but it fails,i.e.
create view inst as select * from dblink('host=pollux port=5432
dbname=cob_int', .....

What we are searching for, is a solution which uses the current login
information (user and password).


The second problem with dblink is a security hole. If you have a table
without any grants for the current user, this user can create a view to
circumvent the table privileges, i.e..

Current user is svawork (not a superuser!). Current database is sva4_int1.
Table inst has privileges only for a user sva. If user svawork tried to read
from inst it fails. This is ok.
If svawork create a view like:

create view myinst as select * from dblink('dbname=sva4_int1','select ....
from inst') as (.......);

The view connect not to a remote database. It uses the local database.
You can read the data from table inst without any restrictions! (Select *
from myinst ...)
This problem could also be resolved, if dblink uses the current login
information.

Any solutions welcome.

Karsten




---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate     subscribe-nomail command to
majordomo@postgresql.orgso that your     message can get through to the mailing list cleanly
 




Re: User Privileges using dblink

From
"Darko Prenosil"
Date:
>
> create view myinst as select * from dblink('dbname=sva4_int1','select ....
> from inst') as (.......);
>
> The view connect not to a remote database. It uses the local database.
> You can read the data from table inst without any restrictions! (Select *
> from myinst ...)
> This problem could also be resolved, if dblink uses the current login
> information.

I'm sorry but I forgot to comment on this. Isn't this because Your
configuration alows trusted connections for localhost ?
This is the part of pg_hba.conf comment:

# Put your actual configuration here
# ----------------------------------
#
# CAUTION: The default configuration allows any local user to connect
# using any PostgreSQL user name, including the superuser, over either
# Unix-domain sockets or TCP/IP.  If you are on a multiple-user
# machine, the default configuration is probably too liberal for you.
# Change it to use something other than "trust" authentication.
#
# If you want to allow non-local connections, you need to add more
# "host" records.  Also, remember TCP/IP connections are only enabled
# if you enable "tcpip_socket" in postgresql.conf.


Regards !