Thread: Permissions for CREATE OPERATOR CLASS
The new CREATE OPERATOR CLASS command will presently let you create an
index opclass if you own the datatype the class is for. With the
recent emphasis on security I'm thinking that this is not an adequate
permission check. We don't have any reasonable way of checking that
the provided set of operators and support functions meet the
expectations of the index AM and are mutually consistent. This means
it's not at all difficult to make an index opclass that will crash
the backend when used.
I'm inclined to require superuser permissions to do CREATE OPERATOR
CLASS. This would not be a loss of functionality compared to prior
releases, since the old way of creating an opclass involved manual
insertions into system catalogs, also a superuser-only thing.
Comments?
regards, tom lane
En Fri, 23 Aug 2002 15:17:25 -0400 Tom Lane <tgl@sss.pgh.pa.us> escribió: > The new CREATE OPERATOR CLASS command will presently let you create an > index opclass if you own the datatype the class is for. With the > recent emphasis on security I'm thinking that this is not an adequate > permission check. We don't have any reasonable way of checking that > the provided set of operators and support functions meet the > expectations of the index AM and are mutually consistent. This means > it's not at all difficult to make an index opclass that will crash > the backend when used. Well, maybe this reduces the usefulness of having a CREATE TYPE as compared to being able to create operator classes as well, but I wonder how much people create their own types and want to create operator classes without being superusers. Is it too difficult to check whether the functions are "good for AM"? Does not sound like an easy task... (halting problem maybe?) > I'm inclined to require superuser permissions to do CREATE OPERATOR > CLASS. This would not be a loss of functionality compared to prior > releases, since the old way of creating an opclass involved manual > insertions into system catalogs, also a superuser-only thing. If it's unsafe, users should not be able to mess with it. I was playing around and got this: alvh=> create type my_cash (input = cash_in, output = cash_out, internallength = variable); ERROR: TypeCreate: function cash_out(opaque) does not exist -- Alvaro Herrera (<alvherre[a]atentus.com>) "La fuerza no está en los medios físicos sino que reside en una voluntad indomable" (Gandhi)
Alvaro Herrera <alvherre@atentus.com> writes:
> I was playing around and got this:
> alvh=> create type my_cash (input = cash_in, output = cash_out, internallength = variable);
> ERROR: TypeCreate: function cash_out(opaque) does not exist
Yeah, the CREATE TYPE code is now much stricter about the allowed
signatures of the I/O functions. The input function for a type foo
must be one offoo_in(cstring) returns foofoo_in(opaque) returns foofoo_in(cstring) returns opaquefoo_in(opaque) returns
opaque
while the output must be one offoo_out(foo) returns cstringfoo_out(opaque) returns cstringfoo_out(foo) returns
opaquefoo_out(opaque)returns opaque
so unless you use "opaque" you cannot use the same I/O function for
two different types. (Possibly the error message should complain about
foo_out(foo) not foo_out(opaque).)
If we hear a lot of squawks about that, we can discuss how to weaken
the rules ... but IMHO the entire point here is to introduce some type
safety into the use of I/O functions ...
regards, tom lane