Gregory Stark wrote:
> All that really has to happen is that dblink should by default not be callable
> by any user other than Postgres. DBAs should be required to manually run
> "GRANT EXECUTE ON dblink_connect(text) TO public;" if that's what he wants.
That serves the purpose of making PG "secure by default" (whatever that means
exactly) well, and surely is a good short-term solution.
But it severely limits the usefulness of dblink on setup where PG uses
ident auth either via TCP or unix-sockets - there seems to be no way to
securely users use dblink in such a setup.
Therefore I think there should be a ToDO
"Explore how dblink can be made safe if used together with ident authentication"
or something similar.
The ideal solution would IMHO be to authenticate a user using dblink as
the user he used to connect to PG in the first place - but since ident is
handled outside of PG that might be impossible to archive without some
really bad hacks. So maybe just finding a way to disable ident auth for
connections made via dblink is sufficient.
greetings, Florian Pflug