diff options
| -rw-r--r-- | contrib/dblink/dblink.c | 19 | ||||
| -rw-r--r-- | contrib/dblink/dblink.sql.in | 18 | ||||
| -rw-r--r-- | contrib/dblink/doc/connection | 48 |
3 files changed, 83 insertions, 2 deletions
diff --git a/contrib/dblink/dblink.c b/contrib/dblink/dblink.c index b42dd026724..190c7005d64 100644 --- a/contrib/dblink/dblink.c +++ b/contrib/dblink/dblink.c @@ -8,7 +8,7 @@ * Darko Prenosil <Darko.Prenosil@finteh.hr> * Shridhar Daithankar <shridhar_daithankar@persistent.co.in> * - * $PostgreSQL: pgsql/contrib/dblink/dblink.c,v 1.63 2007/04/06 04:21:41 tgl Exp $ + * $PostgreSQL: pgsql/contrib/dblink/dblink.c,v 1.64 2007/07/08 17:12:38 joe Exp $ * Copyright (c) 2001-2007, PostgreSQL Global Development Group * ALL RIGHTS RESERVED; * @@ -37,6 +37,7 @@ #include "libpq-fe.h" #include "fmgr.h" #include "funcapi.h" +#include "miscadmin.h" #include "access/heapam.h" #include "access/tupdesc.h" #include "catalog/namespace.h" @@ -245,6 +246,22 @@ dblink_connect(PG_FUNCTION_ARGS) errdetail("%s", msg))); } + if (!superuser()) + { + if (!PQconnectionUsedPassword(conn)) + { + PQfinish(conn); + if (rconn) + pfree(rconn); + + ereport(ERROR, + (errcode(ERRCODE_S_R_E_PROHIBITED_SQL_STATEMENT_ATTEMPTED), + errmsg("password is required"), + errdetail("Non-superuser cannot connect if the server does not request a password."), + errhint("Target server's authentication method must be changed."))); + } + } + if (connname) { rconn->conn = conn; diff --git a/contrib/dblink/dblink.sql.in b/contrib/dblink/dblink.sql.in index e99ea05ec78..b6e8f55ab81 100644 --- a/contrib/dblink/dblink.sql.in +++ b/contrib/dblink/dblink.sql.in @@ -1,3 +1,5 @@ +-- dblink_connect now restricts non-superusers to password +-- authenticated connections CREATE OR REPLACE FUNCTION dblink_connect (text) RETURNS text AS 'MODULE_PATHNAME','dblink_connect' @@ -8,6 +10,22 @@ RETURNS text AS 'MODULE_PATHNAME','dblink_connect' LANGUAGE C STRICT; +-- dblink_connect_u allows non-superusers to use +-- non-password authenticated connections, but initially +-- privileges are revoked from public +CREATE OR REPLACE FUNCTION dblink_connect_u (text) +RETURNS text +AS 'MODULE_PATHNAME','dblink_connect' +LANGUAGE C STRICT SECURITY DEFINER; + +CREATE OR REPLACE FUNCTION dblink_connect_u (text, text) +RETURNS text +AS 'MODULE_PATHNAME','dblink_connect' +LANGUAGE C STRICT SECURITY DEFINER; + +REVOKE ALL ON FUNCTION dblink_connect_u (text) FROM public; +REVOKE ALL ON FUNCTION dblink_connect_u (text, text) FROM public; + CREATE OR REPLACE FUNCTION dblink_disconnect () RETURNS text AS 'MODULE_PATHNAME','dblink_disconnect' diff --git a/contrib/dblink/doc/connection b/contrib/dblink/doc/connection index 28a93a9038b..48b79c01428 100644 --- a/contrib/dblink/doc/connection +++ b/contrib/dblink/doc/connection @@ -1,4 +1,4 @@ -$PostgreSQL: pgsql/contrib/dblink/doc/connection,v 1.4 2006/03/11 04:38:29 momjian Exp $ +$PostgreSQL: pgsql/contrib/dblink/doc/connection,v 1.5 2007/07/08 17:12:38 joe Exp $ ================================================================== Name @@ -27,6 +27,12 @@ Outputs Returns status = "OK" +Notes + + Only superusers may use dblink_connect to create non-password + authenticated connections. If non-superusers need this capability, + use dblink_connect_u instead. + Example usage select dblink_connect('dbname=postgres'); @@ -44,6 +50,46 @@ select dblink_connect('myconn','dbname=postgres'); ================================================================== Name +dblink_connect_u -- Opens a persistent connection to a remote database + +Synopsis + +dblink_connect_u(text connstr) +dblink_connect_u(text connname, text connstr) + +Inputs + + connname + if 2 arguments are given, the first is used as a name for a persistent + connection + + connstr + + standard libpq format connection string, + e.g. "hostaddr=127.0.0.1 port=5432 dbname=mydb user=postgres password=mypasswd" + + if only one argument is given, the connection is unnamed; only one unnamed + connection can exist at a time + +Outputs + + Returns status = "OK" + +Notes + + With dblink_connect_u, a non-superuser may connect to any database server + using any authentication method. If the authentication method specified + for a particular user does not require a password, impersonation and + therefore escalation of privileges may occur. For this reason, + dblink_connect_u is initially installed with all privileges revoked from + public. Privilege to these functions should be granted with care. + +Example usage + + +================================================================== +Name + dblink_disconnect -- Closes a persistent connection to a remote database Synopsis |