Tom Lane wrote:
> Jan Wieck <janwieck@Yahoo.com> writes:
> > the new EXECUTE command in PL/pgSQL is a security hole.
> > PL/pgSQL is a trusted procedural language, meaning that
> > regular users can write code in it. With the new EXECUTE
> > command, someone could read and write arbitrary files under
> > the postgres UNIX-userid using the COPY command.
>
> Huh? This would only be true if all operations inside plpgsql are
> executed as superuser, which they are not. Seems to me the existing
> defense against non-superuser using COPY is sufficient.
Phew,
you save my day. I should better think twice before ringing the alarm bell :-)
Jan
--
#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me. #
#================================================== JanWieck@Yahoo.com #
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
