From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Gregory Stark <stark(at)enterprisedb(dot)com> |
Cc: | "Aidan Van Dyk" <aidan(at)highrise(dot)ca>, "Jeremy Drake" <pgsql(at)jdrake(dot)com>, "Peter Eisentraut" <peter_e(at)gmx(dot)net>, "PostgreSQL Hackers" <pgsql-hackers(at)postgresql(dot)org>, "Andrew Dunstan" <andrew(at)dunslane(dot)net>, "Greg Sabino Mullane" <greg(at)turnstep(dot)com> |
Subject: | Re: modules |
Date: | 2008-04-04 20:12:44 |
Message-ID: | 7616.1207339964@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general pgsql-hackers |
Gregory Stark <stark(at)enterprisedb(dot)com> writes:
> "Aidan Van Dyk" <aidan(at)highrise(dot)ca> writes:
>> What if you didn't need super-user privileges to load "C" functions, on
>> the conditions that:
>> 1) There is no / in the obj_file filename (or some other "sanitizing"
>> rules)
>> 2) You're database owner
> That's an interesting idea.
And utterly, utterly insecure.
The fact that the referenced object file is a "trusted" Postgres module
isn't enough to make it safe --- the user can still play hob with the
system by creating functions with the wrong argument/result types,
pointing at exported symbols that weren't meant to be callable
functions, creating broken index opclasses from the functions, etc.
I think you'd need to move the security gating up a level, and somehow
see the SQL-language installation and deinstallation scripts as trusted.
This goes back to the question of what is a module anyway.
Like Andrew, I'm a bit disturbed that people feel free to propose to
implement this stuff when they evidently have read none of the prior
discussions.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Ron Tyndall | 2008-04-04 20:18:45 | Re: Cannot Install PostgreSQL on Windows 2000 Server |
Previous Message | Ivan Sergio Borgonovo | 2008-04-04 19:53:57 | Re: creating a temp table in a function |
From | Date | Subject | |
---|---|---|---|
Next Message | Alvaro Herrera | 2008-04-04 20:20:11 | Re: Patch queue -> wiki |
Previous Message | Tom Lane | 2008-04-04 19:57:24 | Garbage pad bytes within datums are bad news |