From d92583f88ec75eb73855a794230aa94c4366f103 Mon Sep 17 00:00:00 2001
From: Joe Conway <mail@joeconway.com>
Date: Sun, 8 Jul 2007 17:12:38 +0000
Subject: [PATCH] Restrict non-superusers to password authenticated connections
 to prevent possible escalation of privilege. Provide new SECURITY DEFINER
 functions with old behavior, but initially REVOKE ALL from public for these
 functions. Per list discussion and design proposed by Tom Lane. A different
 approach will be used for back-branches, committed separately.

---
 contrib/dblink/dblink.c       | 19 +++++++++++++-
 contrib/dblink/dblink.sql.in  | 18 +++++++++++++
 contrib/dblink/doc/connection | 48 ++++++++++++++++++++++++++++++++++-
 3 files changed, 83 insertions(+), 2 deletions(-)

diff --git a/contrib/dblink/dblink.c b/contrib/dblink/dblink.c
index b42dd026724..190c7005d64 100644
--- a/contrib/dblink/dblink.c
+++ b/contrib/dblink/dblink.c
@@ -8,7 +8,7 @@
  * Darko Prenosil <Darko.Prenosil@finteh.hr>
  * Shridhar Daithankar <shridhar_daithankar@persistent.co.in>
  *
- * $PostgreSQL: pgsql/contrib/dblink/dblink.c,v 1.63 2007/04/06 04:21:41 tgl Exp $
+ * $PostgreSQL: pgsql/contrib/dblink/dblink.c,v 1.64 2007/07/08 17:12:38 joe Exp $
  * Copyright (c) 2001-2007, PostgreSQL Global Development Group
  * ALL RIGHTS RESERVED;
  *
@@ -37,6 +37,7 @@
 #include "libpq-fe.h"
 #include "fmgr.h"
 #include "funcapi.h"
+#include "miscadmin.h"
 #include "access/heapam.h"
 #include "access/tupdesc.h"
 #include "catalog/namespace.h"
@@ -245,6 +246,22 @@ dblink_connect(PG_FUNCTION_ARGS)
 				 errdetail("%s", msg)));
 	}
 
+	if (!superuser())
+	{
+		if (!PQconnectionUsedPassword(conn))
+		{
+			PQfinish(conn);
+			if (rconn)
+				pfree(rconn);
+
+			ereport(ERROR,
+					(errcode(ERRCODE_S_R_E_PROHIBITED_SQL_STATEMENT_ATTEMPTED),
+					 errmsg("password is required"),
+					 errdetail("Non-superuser cannot connect if the server does not request a password."),
+					 errhint("Target server's authentication method must be changed.")));
+		}
+	}
+
 	if (connname)
 	{
 		rconn->conn = conn;
diff --git a/contrib/dblink/dblink.sql.in b/contrib/dblink/dblink.sql.in
index e99ea05ec78..b6e8f55ab81 100644
--- a/contrib/dblink/dblink.sql.in
+++ b/contrib/dblink/dblink.sql.in
@@ -1,3 +1,5 @@
+-- dblink_connect now restricts non-superusers to password
+-- authenticated connections
 CREATE OR REPLACE FUNCTION dblink_connect (text)
 RETURNS text
 AS 'MODULE_PATHNAME','dblink_connect'
@@ -8,6 +10,22 @@ RETURNS text
 AS 'MODULE_PATHNAME','dblink_connect'
 LANGUAGE C STRICT;
 
+-- dblink_connect_u allows non-superusers to use
+-- non-password authenticated connections, but initially
+-- privileges are revoked from public
+CREATE OR REPLACE FUNCTION dblink_connect_u (text)
+RETURNS text
+AS 'MODULE_PATHNAME','dblink_connect'
+LANGUAGE C STRICT SECURITY DEFINER;
+
+CREATE OR REPLACE FUNCTION dblink_connect_u (text, text)
+RETURNS text
+AS 'MODULE_PATHNAME','dblink_connect'
+LANGUAGE C STRICT SECURITY DEFINER;
+
+REVOKE ALL ON FUNCTION dblink_connect_u (text) FROM public;
+REVOKE ALL ON FUNCTION dblink_connect_u (text, text) FROM public;
+
 CREATE OR REPLACE FUNCTION dblink_disconnect ()
 RETURNS text
 AS 'MODULE_PATHNAME','dblink_disconnect'
diff --git a/contrib/dblink/doc/connection b/contrib/dblink/doc/connection
index 28a93a9038b..48b79c01428 100644
--- a/contrib/dblink/doc/connection
+++ b/contrib/dblink/doc/connection
@@ -1,4 +1,4 @@
-$PostgreSQL: pgsql/contrib/dblink/doc/connection,v 1.4 2006/03/11 04:38:29 momjian Exp $
+$PostgreSQL: pgsql/contrib/dblink/doc/connection,v 1.5 2007/07/08 17:12:38 joe Exp $
 ==================================================================
 Name
 
@@ -27,6 +27,12 @@ Outputs
 
   Returns status = "OK"
 
+Notes
+
+  Only superusers may use dblink_connect to create non-password
+  authenticated connections. If non-superusers need this capability,
+  use dblink_connect_u instead.
+
 Example usage
 
 select dblink_connect('dbname=postgres');
@@ -41,6 +47,46 @@ select dblink_connect('myconn','dbname=postgres');
  OK
 (1 row)
 
+==================================================================
+Name
+
+dblink_connect_u -- Opens a persistent connection to a remote database
+
+Synopsis
+
+dblink_connect_u(text connstr)
+dblink_connect_u(text connname, text connstr)
+
+Inputs
+
+  connname
+    if 2 arguments are given, the first is used as a name for a persistent
+    connection
+
+  connstr
+
+    standard libpq format connection string, 
+    e.g. "hostaddr=127.0.0.1 port=5432 dbname=mydb user=postgres password=mypasswd"
+
+    if only one argument is given, the connection is unnamed; only one unnamed
+    connection can exist at a time
+
+Outputs
+
+  Returns status = "OK"
+
+Notes
+
+  With dblink_connect_u, a non-superuser may connect to any database server
+  using any authentication method. If the authentication method specified
+  for a particular user does not require a password, impersonation and
+  therefore escalation of privileges may occur. For this reason,
+  dblink_connect_u is initially installed with all privileges revoked from
+  public. Privilege to these functions should be granted with care.
+
+Example usage
+
+
 ==================================================================
 Name
 
-- 
GitLab