Gregory Stark <stark@enterprisedb.com> writes:
> "Aidan Van Dyk" <aidan@highrise.ca> writes:
>> What if you didn't need super-user privileges to load "C" functions, on
>> the conditions that:
>> 1) There is no / in the obj_file filename (or some other "sanitizing"
>> rules)
>> 2) You're database owner
> That's an interesting idea.
And utterly, utterly insecure.
The fact that the referenced object file is a "trusted" Postgres module
isn't enough to make it safe --- the user can still play hob with the
system by creating functions with the wrong argument/result types,
pointing at exported symbols that weren't meant to be callable
functions, creating broken index opclasses from the functions, etc.
I think you'd need to move the security gating up a level, and somehow
see the SQL-language installation and deinstallation scripts as trusted.
This goes back to the question of what is a module anyway.
Like Andrew, I'm a bit disturbed that people feel free to propose to
implement this stuff when they evidently have read none of the prior
discussions.
regards, tom lane
