Re: Proposal: template-ify (binary) extensions - Mailing list pgsql-hackers

From Markus Wanner
Subject Re: Proposal: template-ify (binary) extensions
Date
Msg-id 51EE624D.1090802@bluegap.ch
Whole thread Raw
In response to Re: Proposal: template-ify (binary) extensions  (Markus Wanner <markus@bluegap.ch>)
List pgsql-hackers
On 07/16/2013 09:14 PM, I wrote:
> But okay, you're saying we *have* and *want* a guarantee that even a
> superuser cannot execute arbitrary native code via libpq (at least in
> default installs w/o extensions).

I stand corrected and have to change my position, again. For the record:

We do not have such a guarantee. Nor does it seem reasonable to want
one. On a default install, it's well possible for the superuser to run
arbitrary code via just libpq.

There are various ways to do it, but the simplest one I was shown is:- upload a DSO from the client into a large
object-SELECT lo_export() that LO to a file on the server- LOAD it
 

There are a couple other options, so even if we let LOAD perform
permission checks (as I proposed before in this thread), the superuser
can still fiddle with function definitions. To the point that it doesn't
seem reasonable to try to protect against that.

Thus, the argument against the original proposal based on security
grounds is moot. Put another way: There already are a couple of
"backdoors" a superuser can use. By default. Or with plpgsql removed.

Thanks to Dimitri and Andres for patiently explaining and providing
examples.

Regards

Markus Wanner



pgsql-hackers by date:

Previous
From: Marc Cousin
Date:
Subject: Performance problem in PLPgSQL
Next
From: Greg Smith
Date:
Subject: Re: [PoC] pgstattuple2: block sampling to reduce physical read