Stephen Frost <sfrost@snowman.net> writes:
> * Tom Lane (tgl@sss.pgh.pa.us) wrote:
>> The larger point though is that this is just one of innumerable attack
>> routes for anyone with the ability to make the server do filesystem reads
>> or writes of his choosing. If you think that's something you can safely
>> give to people you don't trust enough to make them superusers, you are
>> wrong, and I don't particularly want to spend the next ten years trying
>> to wrap band-aids around your misjudgment.
> I certainly don't have the experience you do in this area and am quite
> interested in the other attack routes you're thinking of, and how other
> databases which support this capability address them. Perhaps they're
> simply documented as known issues, or they aren't addressed at all and
> bugs exist, but I'm not seeing these apparently obvious issues.
Well, the point here is that I'm *not* an expert. I'm aware that there
are lots of nonobvious ways in which Unix filesystem security can be
subverted if you can control the actions of a process running with
privileges you don't/shouldn't have. I don't claim to have all the
details at my fingertips, and I doubt that anyone else in the PG community
does either. Therefore, I think it's inevitable that if we build a
feature like this, it's going to have multiple security holes that
we will find out about the hard way.
As for other databases, since when did we think that Oracle, Microsoft, or
mysql are reliable sources of well-designed security-hole-free software?
The fact that they advertise features of this sort doesn't impress me in
the slightest.
I'm happy to have us rearrange things so that use of the existing
filesystem access functionality can be given out to users who aren't full
superusers. What I don't believe is that it's a useful exercise to try
to give out restricted filesystem access: that will require too many
restrictions/compromises and still create too much of an attack surface.
I want to just define away the attack surface by making it clear that we
are *not* making any promises about what someone can do with filesystem
access functionality. If you give joe access to that functionality and
he does something you don't like, it's your fault not ours.
regards, tom lane