"Joe Conway" <mail@joeconway.com> writes:
> Stephen Frost wrote:
>> * Joe Conway (mail@joeconway.com) wrote:
>>> There are none installed by default -- that's the point.
>>
>> Uhh... None what? Functions in untrusted languages? That's certainly
>> not the case, there's a whole slew of them, from boolin to
>> generate_series and beyond. They're available to regular users, even!
>
> Get serious. Internal functions are specifically designed and maintained to be
> safe within the confines of the database security model. We are discussing
> extensions to the core, all of which must be installed by choice, by a superuser.
That doesn't mean they shouldn't be concerned with security.
Consider dblink as an entirely separate product which depends on Postgres the
way Postgres depends on the OS. We discussing how the dblink software should
behave when installed with *its* default configuration.
When *Postgres is installed on Unix* it modifies the Unix security model
allowing internet users to connect and execute SQL queries. But it is
configured to be "secure by default" by requiring explicit authorization for
users who should be allowed to connect. Merely installing *Postgres on Unix*
doesn't allow arbitrary internet users to use your machine to store data.
Likewise when *dblink is installed on Postgres* it modifies the Postgres
security model to allow exterior users to create tcp connections originating
from your host. This is something Postgres and indeed Unix in general forbid.
It should be configured so that when *dblink* is installed it is configured to
be "secure by default" by requiring explicit authorization for users who
should be allowed to form connections. Merely installing *dblink on Postgres*
shouldn't allow arbitrary Postgres users to use your machine to launch
attacks.
--
Gregory Stark
EnterpriseDB http://www.enterprisedb.com