Re: Expect problems with PL/Python and Python version 2.2.3+

My understanding (from the documentation and from a quick code check is
that the PL/Python code uses Python's "rexec" ability to provide a
restricted execution environment for the Python code.

For those unfamiliar with it, rexec provides a restricted execution
environment, limiting access to certain Python and system routines.

This functionality is being deprecated in Python, due to security
problems and lack of maintainership to resolve them... Python 2.2.3
will ship next Friday with rexec disabled, and Python version 2.3 should
be out in about a month and will also not have rexec.

The first issue to note is that currently rexec does have some security
problems which mean that enabling pl/python may cause users to gain
access to the system as the user PostgreSQL is running as. I'm not very
familiar with these problems, just that there are some...

It may be appropriate to just remove the rexec, with the result being
that PL/Python code will be able to have access to basically anything on
the system as the user PostgreSQL is running as.

So, heads up... 2.2.3 and 2.3 and later versions of Python will
probably not work with PostgreSQL and PL/Python.

Sean
--
Brooks's Law of Prototypes: Plan to throw one away, you will anyhow.
Sean Reifschneider, Inimitably Superfluous <jafo(at)tummy(dot)com>
tummy.com, ltd. - Linux Consulting since 1995. Qmail, Python, SysAdmin
Back off man. I'm a scientist. http://HackingSociety.org/

Sean Reifschneider <jafo(at)tummy(dot)com> writes:
> For those unfamiliar with it, rexec provides a restricted execution
> environment, limiting access to certain Python and system routines.
> This functionality is being deprecated in Python, due to security
> problems and lack of maintainership to resolve them...

Is no substitute solution being offered?

> It may be appropriate to just remove the rexec, with the result being
> that PL/Python code will be able to have access to basically anything on
> the system as the user PostgreSQL is running as.

We would have to change it to an untrusted language. We could do that,
but it would mean a major reduction in the usefulness of plpython.
Few DBAs of average paranoia levels want to give superuser access to
their database users.

regards, tom lane

> Sean Reifschneider <jafo(at)tummy(dot)com> writes:
> > For those unfamiliar with it, rexec provides a restricted execution
> > environment, limiting access to certain Python and system routines.
> > This functionality is being deprecated in Python, due to security
> > problems and lack of maintainership to resolve them...
>
> Is no substitute solution being offered?

There are hopes that rexec will eventually be fixed. But nobody has
signed up to do the work. So for the time being, no. (The fixes
aren't simple; the problem is really deep in the bowels of the new
class/type unification code, and a fix will require serious rethinking
of the security implications of everything there.)

> > It may be appropriate to just remove the rexec, with the result being
> > that PL/Python code will be able to have access to basically anything on
> > the system as the user PostgreSQL is running as.
>
> We would have to change it to an untrusted language. We could do that,
> but it would mean a major reduction in the usefulness of plpython.
> Few DBAs of average paranoia levels want to give superuser access to
> their database users.

Then they shouldn't trust rexec either, at least not with Python 2.2
and up. I can't divulge the details, but there are quite a few known
attacks on rexec. The python-dev list archives have details.

I'm not saying I'm not sorry about this state of affairs. But I
prefer to be upfront and say "there is currently no secure restricted
execution mode" rather than pretend everything is cool and let bad
guys hack into your system via the rexec holes.

You could always downgrade to Python 2.1.3.

--Guido van Rossum (home page: http://www.python.org/~guido/)

Guido van Rossum <guido(at)python(dot)org> writes:
> I'm not saying I'm not sorry about this state of affairs. But I
> prefer to be upfront and say "there is currently no secure restricted
> execution mode" rather than pretend everything is cool and let bad
> guys hack into your system via the rexec holes.

Fair enough (and thanks for the prompt, authoritative answer!)

Looks like we either change plpython to untrusted status or remove it
entirely :-(. Sean, do you have time to prepare a patch for the former?

regards, tom lane

On Mon, May 26, 2003 at 02:46:36AM -0400, Tom Lane wrote:
>Looks like we either change plpython to untrusted status or remove it
>entirely :-(. Sean, do you have time to prepare a patch for the former?

I don't really have the level of familiarity with the PostgreSQL code to
do that in a timely manner. Sorry.

Sean
--
Q. What's the difference between Batman and Bill Gates?
A. When Batman fought the Penguin, he won.
Sean Reifschneider, Inimitably Superfluous <jafo(at)tummy(dot)com>
tummy.com, ltd. - Linux Consulting since 1995. Qmail, Python, SysAdmin

Tilo Schwarz <list(at)tilo-schwarz(dot)de> writes:
> Tom Lane writes:
>> Looks like we either change plpython to untrusted status or remove it
>> entirely :-(. Sean, do you have time to prepare a patch for the former?

> Please, don't remove it. We (a group of "trusted" people using Postgresql) are
> actually waiting for plpython to become untrusted, so we can use the full
> power of python (e.g. file access) from Postgresql.

Well, Sean disclaimed the project, so you seem to be next in line ;-)
Go to it ...

regards, tom lane