Re: Creating functions and triggers - Mailing list pgsql-general
| From | Jan Wieck |
|---|---|
| Subject | Re: Creating functions and triggers |
| Date | |
| Msg-id | 3EC794A9.80105@Yahoo.com Whole thread Raw |
| In response to | Re: Creating functions and triggers ("scott.marlowe" <scott.marlowe@ihs.com>) |
| List | pgsql-general |
The original idea was protection. If a language offers mechanisms through which a user can gain access to things, he normally does not have access to, then it should be untrusted and require superuser privileges to define functions in that language. Those functions, once created by a superuser, can be considered trusted again depending on their functionality. Quick example: A function that writes a file onto disk. Without any checks, that function could be used to replace the pg_hba.conf file ... and go from there. Surely not trusted, no matter who created it or what language he used. If the function ensures that the file will end up in a certain path, it's okay to trust it. To write such a function requires that the language supports dealing with files on the OS level. PL/Tcl for example does not, so a user writing function in PL/Tcl cannot do it and thus, it's safe to allow Joe Haxor to write functions in it. PL/TclU allows OS level file access, and therefore a superuser better has an eye over the functions coding before it ever gets called. The only mechanism we have for that is to restrict the definition of functions in that said untrusted language to superusers. Jan Network Administrator wrote: > We're saying the same thing- non-admin user (superusers) can only install > untrusted languages. However, I didn't know you could grant rights to a > untrusted function. That is interesting because I thought the language's > trusted status was based on who owned the database. For instance, if I installed > Perl as untrusted into template1 wouldn't any user database based I create for > regular users (as the superuser but making them the database owner) run PL/Perl > functions as trusted? > > The initial reason for my post is that I [thought] I saw some talk about writing > files as using PL/Perl instead of PL/Sh and I thought PL/Perl did not allow > regular users to write files to the file system, no? > > Funny how 1 question leads to another- which is cool, 'cause I like to learn > some'n new everyday! > > > Quoting Bruno Wolff III <bruno@wolff.to>: > > >>On Tue, May 13, 2003 at 10:06:36 -0400, >> Network Administrator <netadmin@vcsn.com> wrote: >> >>>I had a thought/question 'bout this since I was reading some stuff on >> >>triggers- >> >>>especially PL/Perl (sec. 21.4 in the 7.3 Programmer Docs). Isn't the >> >>simple >> >>>answer to this based on the fact that a PL installed as "trusted" will not >> >>allow >> >>>you to execute things that violate localization? Furthermore, if a >> >>language is >> >>>installed as "untrusted", doesn't it prevent non-admin users from using it? >> >> Or >> >>>is this only for PL/Perl? >> >>Untrusted languages can only be used by superusers. >> > > > -- #======================================================================# # It's easier to get forgiveness for being wrong than for being right. # # Let's break this rule - forgive me. # #================================================== JanWieck@Yahoo.com #
pgsql-general by date: