Are there any Database functions which allow access to other network services in PostgreSQL

Posted on

Question :

I have set up a new postgres installation and have to meet the security requirements from my company.

There is one requirement were i’m not quite sure:

Database functions which allow access to other network services (e.g. ,SMTP, HTTP, SNMP, FTP etc.), must be deleted or deactivated.

Motivation: Some database systems provide functions that are normally offered by an application server. For instance it is possible via special stored procedures to send e-mails or launch web queries to external systems.

I have installed postgres (PostgreSQL) 9.3.4. Are there any functions like this in a standard installation on Red Hat Enterprise Linux Server release 6.5 (Santiago)?

Answer :

I have never seen that personally, so I looked up all the functions in Postgres found in the docs here.

The only thing it showed remotely close was ‘network address functions’ in this section. Outside of that the docs don’t show anything for network access functions. Note this doesn’t mean you can’t write your own functions that access the system or OS which then can access the network.

Postgresql implements Host-Based Access control using pg_hba.conf file. This file is located in the data directory of database cluster.

The format of this file is

All parameters in a single line (Here they are numbered for convenience)

To prevent outside connection to your server,

1. local|remote(host|hostssl|hostnossl) connection:  local
2. Database                                       :  database-name or comma separated list of database names
3. Users                                          :  username or or comma separated list of user-names
4. client ip address(localhost)                   :  127.0.0.1/32
5. password authentication method                 :  trust | reject | md5 | password(plain text) | gss | sspi | krb5 | ident | peer | pam | ldap | radius | cert

Make sure you have the following two lines of settings as described above. The second line will reject all remote connections. If you want to add a range of local ip address in the first line, use for example: 192.168.84.0/24

local   all  all  127.0.0.1/32   md5
host    all  all  0.0.0.0/0      reject

Leave a Reply

Your email address will not be published. Required fields are marked *