Re: allowing privileges on untrusted languages - Mailing list pgsql-hackers

From Tom Lane
Subject Re: allowing privileges on untrusted languages
Date
Msg-id 8630.1357917904@sss.pgh.pa.us
Whole thread Raw
In response to allowing privileges on untrusted languages  (Peter Eisentraut <peter_e@gmx.net>)
Responses Re: allowing privileges on untrusted languages
List pgsql-hackers
Peter Eisentraut <peter_e@gmx.net> writes:
> It turned out that actually getting rid of lanpltrusted would be too
> invasive, especially because some language handlers use it to determine
> their own behavior.

> So instead the lanpltrusted attribute now just determined what the
> default privileges of the language are, and all the checks the require
> superuserness to do anything with untrusted languages are removed.

Hmm ... that worries me a bit.  It seems like system security will now
require being sure that the permissions on the language match the
lanpltrusted setting.  Even if the code is right today, there's a lot
of scope for future oversights with security implications.  Don't know
what we could do to mitigate that.

In particular, have you thought carefully about upgrade scenarios?
Will a dump-and-restore of a pre-9.3 installation end up with safe
language privileges?

In the same vein, I'm worried that the proposed change in pg_dump will
do the wrong thing when looking at a pre-9.3 server.  Is any
server-version-dependent behavior needed there?
        regards, tom lane



pgsql-hackers by date:

Previous
From: Andres Freund
Date:
Subject: Re: foreign key locks
Next
From: Tom Lane
Date:
Subject: Re: ToDo: log plans of cancelled queries