On Sat, 16 Jun 2007, Michael Fuhr wrote: > A message entitled "Having Fun With PostgreSQL" was posted to Bugtraq > today. I haven't read through the paper yet so I don't know if the > author discusses security problems that need attention or if the > article is more like a compilation of "Stupid PostgreSQL Tricks." > > http://www.securityfocus.com/archive/1/471541/30/0/threaded
The crux of this seems to be two-fold: 1. If dblink is installed, an untrusted user could use it to gain privileges, either using trust/ident auth (you have a superuser named after the account the postmaster is runing as), or can be scripted to brute force passwords. 2. If you are a superuser, you can gain access to the external system, ie, by creating C language functions. Neither of these are news to me, but maybe some new postgres admin will read it and figure out to disable trust auth and not to let untrusted users call dblink (either not install it or REVOKE the rights to call it). -- Around computers it is difficult to find the correct unit of time to measure progress. Some cathedrals took a century to complete. Can you imagine the grandeur and scope of a program that would take as long? -- Epigrams in Programming, ACM SIGPLAN Sept. 1982 ---------------------------(end of broadcast)--------------------------- TIP 6: explain analyze is your friend