| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Andres Freund <andres(at)anarazel(dot)de> |
| Cc: | Dimitri Fontaine <dimitri(at)2ndQuadrant(dot)fr>, Heikki Linnakangas <hlinnakangas(at)vmware(dot)com>, Simon Riggs <simon(at)2ndquadrant(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Dumping an Extension's Script |
| Date: | 2012-12-05 21:42:38 |
| Message-ID: | 13481.1354743758@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Andres Freund <andres(at)anarazel(dot)de> writes:
> On 2012-12-05 16:20:41 -0500, Tom Lane wrote:
>> GUC or no GUC, it'd still be letting an unprivileged network-exposed
>> application (PG) do something that's against any sane system-level
>> security policy. Lipstick is not gonna help this pig.
> What about the non-writable per cluster directory? Thats something I've
> actively wished for in the past when developing a C module thats also
> used in other clusters.
I see no security objection to either per-cluster or per-database
script+control-file directories, as long as they can only contain
SQL scripts and not executable files.
If we allow such things to be installed by less-than-superusers,
we'll have to think carefully about what privileges are given
when running the script. I forget at the moment how much of that
we already worked out back in the 9.1 era; I remember it was discussed
but not whether we had a bulletproof solution.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2012-12-05 21:42:42 | Re: Review: Extra Daemons / bgworker |
| Previous Message | Tom Lane | 2012-12-05 21:38:17 | Re: PITR potentially broken in 9.2 |