Re: Dumping an Extension's Script - Mailing list pgsql-hackers

From Tom Lane
Subject Re: Dumping an Extension's Script
Date
Msg-id 13481.1354743758@sss.pgh.pa.us
Whole thread Raw
In response to Re: Dumping an Extension's Script  (Andres Freund <andres@anarazel.de>)
Responses Re: Dumping an Extension's Script
List pgsql-hackers
Andres Freund <andres@anarazel.de> writes:
> On 2012-12-05 16:20:41 -0500, Tom Lane wrote:
>> GUC or no GUC, it'd still be letting an unprivileged network-exposed
>> application (PG) do something that's against any sane system-level
>> security policy.  Lipstick is not gonna help this pig.

> What about the non-writable per cluster directory? Thats something I've
> actively wished for in the past when developing a C module thats also
> used in other clusters.

I see no security objection to either per-cluster or per-database
script+control-file directories, as long as they can only contain
SQL scripts and not executable files.

If we allow such things to be installed by less-than-superusers,
we'll have to think carefully about what privileges are given
when running the script.  I forget at the moment how much of that
we already worked out back in the 9.1 era; I remember it was discussed
but not whether we had a bulletproof solution.
        regards, tom lane



pgsql-hackers by date:

Previous
From: Andres Freund
Date:
Subject: Re: Dumping an Extension's Script
Next
From: Alvaro Herrera
Date:
Subject: Re: Review: Extra Daemons / bgworker