Re: Creating functions and triggers - Mailing list pgsql-general

From Jan Wieck
Subject Re: Creating functions and triggers
Date
Msg-id 3EC794A9.80105@Yahoo.com
Whole thread Raw
In response to Re: Creating functions and triggers  ("scott.marlowe" <scott.marlowe@ihs.com>)
List pgsql-general
The original idea was protection. If a language offers mechanisms
through which a user can gain access to things, he normally does not
have access to, then it should be untrusted and require superuser
privileges to define functions in that language. Those functions, once
created by a superuser, can be considered trusted again depending on
their functionality.

Quick example: A function that writes a file onto disk.

Without any checks, that function could be used to replace the
pg_hba.conf file ... and go from there. Surely not trusted, no matter
who created it or what language he used.

If the function ensures that the file will end up in a certain path,
it's okay to trust it.

To write such a function requires that the language supports dealing
with files on the OS level. PL/Tcl for example does not, so a user
writing function in PL/Tcl cannot do it and thus, it's safe to allow Joe
Haxor to write functions in it. PL/TclU allows OS level file access, and
therefore a superuser better has an eye over the functions coding before
it ever gets called. The only mechanism we have for that is to restrict
the definition of functions in that said untrusted language to superusers.


Jan

Network Administrator wrote:
> We're saying the same thing- non-admin user (superusers) can only install
> untrusted languages.  However, I didn't know you could grant rights to a
> untrusted function.  That is interesting because I thought the language's
> trusted status was based on who owned the database. For instance, if I installed
> Perl as untrusted into template1 wouldn't any user database based I create for
> regular users (as the superuser but making them the database owner) run PL/Perl
>  functions as trusted?
>
> The initial reason for my post is that I [thought] I saw some talk about writing
> files as using PL/Perl instead of PL/Sh and I thought PL/Perl did not allow
> regular users to write files to the file system, no?
>
> Funny how 1 question leads to another-  which is cool, 'cause I like to learn
> some'n new everyday!
>
>
> Quoting Bruno Wolff III <bruno@wolff.to>:
>
>
>>On Tue, May 13, 2003 at 10:06:36 -0400,
>>  Network Administrator <netadmin@vcsn.com> wrote:
>>
>>>I had a thought/question 'bout this since I was reading some stuff on
>>
>>triggers-
>>
>>>especially PL/Perl (sec. 21.4 in the 7.3 Programmer Docs).  Isn't the
>>
>>simple
>>
>>>answer to this based on the fact that a PL installed as "trusted" will not
>>
>>allow
>>
>>>you to execute things that violate localization?  Furthermore, if a
>>
>>language is
>>
>>>installed as "untrusted", doesn't it prevent non-admin users from using it?
>>
>> Or
>>
>>>is this only for PL/Perl?
>>
>>Untrusted languages can only be used by superusers.
>>
>
>
>



--
#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me.                                  #
#================================================== JanWieck@Yahoo.com #


pgsql-general by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: Broken upgrade_tips link
Next
From: "alex b."
Date:
Subject: mod_perl + PostgreSQL implementation