DBLink's default user: postgres

Started by Rodrigo Hjortabout 18 years ago2 messages

rodrigo.hjort@gmail.com

about 18 years ago

Is this the regular behavior on DBLink?

rot=> SELECT user, current_database();
current_user | current_database
--------------+------------------
sa_rot | rot
(1 registro)

rot=> SELECT *
rot-> FROM dblink('dbname=escola',
rot(> 'SELECT user, current_database()')
rot-> AS (usr name, db name);
usr | db
----------+--------
postgres | escola
(1 registro)

This way, I fear DBLink functions should become a vulnerability issue on my
database.
Is there any way to protect or override this setting? Or it should be done
on pg_hba.conf only?

--
Regards,

Rodrigo Hjort
http://icewall.org/~hjort

Tommy Gildseth

tommy.gildseth@usit.uio.no

about 18 years ago

In reply to: Rodrigo Hjort (#1)

Re: DBLink's default user: postgres

Rodrigo Hjort wrote:

Is this the regular behavior on DBLink?

rot=> SELECT user, current_database();
current_user | current_database
--------------+------------------
sa_rot | rot
(1 registro)

rot=> SELECT *
rot-> FROM dblink('dbname=escola',
rot(> 'SELECT user, current_database()')
rot-> AS (usr name, db name);
usr | db
----------+--------
postgres | escola
(1 registro)

This way, I fear DBLink functions should become a vulnerability issue
on my database.
Is there any way to protect or override this setting? Or it should be
done on pg_hba.conf only?

This issue has been thoroughly discussed before. You can read more about
it in f.ex these threads:
http://archives.postgresql.org/pgsql-hackers/2007-06/msg00678.php

http://archives.postgresql.org/pgsql-patches/2007-07/msg00000.php

--
Tommy Gildseth