Re: modules - Mailing list pgsql-hackers

From Tom Lane
Subject Re: modules
Date
Msg-id 7616.1207339964@sss.pgh.pa.us
Whole thread Raw
In response to Re: modules  (Gregory Stark <stark@enterprisedb.com>)
Responses Re: modules
List pgsql-hackers
Gregory Stark <stark@enterprisedb.com> writes:
> "Aidan Van Dyk" <aidan@highrise.ca> writes:
>> What if you didn't need super-user privileges to load "C" functions, on
>> the conditions that:
>> 1) There is no / in the obj_file filename (or some other "sanitizing"
>> rules)
>> 2) You're database owner

> That's an interesting idea.

And utterly, utterly insecure.

The fact that the referenced object file is a "trusted" Postgres module
isn't enough to make it safe --- the user can still play hob with the
system by creating functions with the wrong argument/result types,
pointing at exported symbols that weren't meant to be callable
functions, creating broken index opclasses from the functions, etc.

I think you'd need to move the security gating up a level, and somehow
see the SQL-language installation and deinstallation scripts as trusted.
This goes back to the question of what is a module anyway.

Like Andrew, I'm a bit disturbed that people feel free to propose to
implement this stuff when they evidently have read none of the prior
discussions.
        regards, tom lane


pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Garbage pad bytes within datums are bad news
Next
From: Alvaro Herrera
Date:
Subject: Re: Patch queue -> wiki