On Fri, Jul 28, 2006 at 09:54:38PM +0200, Martijn van Oosterhout wrote:
> Not the least of which is that arguments involving "people can install
> C code into the backend and break security" are truisms: installed C
> code can do *anything* which is why only superusers can install such
> functions...
My argument was not that installing C code can break things. My argument
was that authors of C code are likely to forget about this "feature" and
unknowingly open new security holes. Obviously no one can force C
extension author to not do stupid or horrible things, but we can at
least help him not unknowingly do horrible things.
Again, fix is really simple. Document the issue, making it damn clear in
the docs that the schema usage check means *nothing* when accessing an
object by OID, and advising users that the ways to access things by OID
are obscure but present and changing, so relying on the schema usage
privilege is not a good idea. I'm not asking for a 2000 line patch here.
A simple documentation change will do -- one that doesn't try to skirt
around the issue like a dirty little secret.
