Re: dblink connection security

* Joe Conway (mail(at)joeconway(dot)com) wrote:
> Stephen Frost wrote:
>> No, it doesn't... Said arbitrary function in y, in untrusted language
>> z, could be perfectly safe for users to call.
> ^^^^^
> *Could* be. But we just said that the admin was not interested in reading
> the documentation, and has no idea if it *is* safe. And, it very well might
> not be safe. We have no way to know in advance because the language is
> untrusted.

If it's not safe then it shouldn't be enabled by default. That's pretty
much the point. If something is known to be unsafe for users to have
access to then it should be disabled by default.

>> Being written in an untrusted language has got next to nothing to do with
>> the security
>> implications of a particular function. It depends entirely on what the
>> function is *doing*, not what language it's written in.
>
> Sure it matters. A function written in a trusted language is known to be
> safe, a priori. A function written in an untrusted language has no such
> guarantees, and therefore has to be assumed unsafe unless carefully proved
> otherwise.

I see.. So all the functions in untrusted languages that come with PG
initially should be checked over by every sysadmin when installing PG
every time... And the same for PostGIS, and all of the PL's that use
untrusted languages?

On my pretty modest install that's 2,206 functions. For some reason I
see something of a difference between 'generate_series' and 'dblink' in
terms of security and which one I'm comfortable having enabled by
default and which one I'm not.

Thanks,

Stephen