Re: Specification for Trusted PLs? - Mailing list pgsql-hackers

From Jan Wieck
Subject Re: Specification for Trusted PLs?
Date
Msg-id 4BF9E84F.3010508@Yahoo.com
Whole thread Raw
In response to Re: Specification for Trusted PLs?  (Andrew Dunstan <andrew@dunslane.net>)
Responses Re: Specification for Trusted PLs?
List pgsql-hackers
On 5/23/2010 10:04 PM, Andrew Dunstan wrote:
> 
> Jan Wieck wrote:
>> On 5/23/2010 6:14 PM, Ron Mayer wrote:
>>> Tom Lane wrote:
>>>> Robert Haas <robertmhaas@gmail.com> writes:
>>>>> So... can we get back to coming up with a reasonable
>>>>> definition,
>>>>
>>>> (1) no access to system calls (including file and network I/O)
>>>
>>> If a PL has file access to it's own sandbox (similar to what
>>> flash seems to do in web browsers), could that be considered
>>> trusted?
>>
>> That is a good question.
>>
>> Currently, the first of all TRUSTED languages, PL/Tcl, would allow the 
>> function of a lesser privileged user access the "global" objects of 
>> every other database user created within the same session.
>>
>> These are per backend in memory objects, but none the less, an evil 
>> function could just scan the per backend Tcl namespace and look for 
>> compromising data, and that's not exactly what TRUSTED is all about.
>>
>> In the case of Tcl it is possible to create a separate "safe" 
>> interpreter per DB role to fix this. I actually think this would be 
>> the right thing to do.
>>
> 
> I think that would probably be serious overkill. Maybe a data stash per 
> role rather than an interpreter per role would be doable. it would 
> certainly be more lightweight.
> 
> ISTM we are in danger of confusing several different things. A user that 
> doesn't want data to be shared should not stash it in global objects. 
> But to me, trusting a language is not about making data private, but 
> about not allowing the user to do things that are dangerous, such as 
> referencing memory, or the file system, or the operating system, or 
> network connections, or loading code which might do any of those things.

How is "loading code which might do any of those things" different from 
writing a stored procedure, that accesses data, a careless "superuser" 
left in a global variable? Remember, the code of a PL function is "open" 
source - like in "everyone can select from pg_proc". You really don't 
expect anyone to scan for your global variables just because they can 
write functions in the same language?


Jan

-- 
Anyone who trades liberty for security deserves neither
liberty nor security. -- Benjamin Franklin


pgsql-hackers by date:

Previous
From: Craig Ringer
Date:
Subject: Re: Specification for Trusted PLs?
Next
From: Craig Ringer
Date:
Subject: Re: Specification for Trusted PLs?