Thread: Re: [PATCHES] Warning for missing createlang

Re: [PATCHES] Warning for missing createlang

From
Tom Lane
Date:
Bruce Momjian <pgman@candle.pha.pa.us> writes:
> Peter Eisentraut wrote:
>> Bruce Momjian writes:
>>> I don't mind the maintenance.  I just want people to stop getting stuck
>>> creating plpsql functions.
>> 
>> Then put plpgsql in the default installation.

> Fine with me.  I thought others didn't want it.

There are good security arguments not to have it in the default install,
no?  I certainly don't think that avoiding having grotty coding for a
hint is an argument that trumps our past reasons not to do it.
        regards, tom lane


Re: [PATCHES] Warning for missing createlang

From
Bruce Momjian
Date:
Tom Lane wrote:
> Bruce Momjian <pgman@candle.pha.pa.us> writes:
> > Peter Eisentraut wrote:
> >> Bruce Momjian writes:
> >>> I don't mind the maintenance.  I just want people to stop getting stuck
> >>> creating plpsql functions.
> >> 
> >> Then put plpgsql in the default installation.
> 
> > Fine with me.  I thought others didn't want it.
> 
> There are good security arguments not to have it in the default install,
> no?  I certainly don't think that avoiding having grotty coding for a
> hint is an argument that trumps our past reasons not to do it.

Yes, of course they are independent arguments.  Jan isn't comfortable
with it being included, and I think that is what has kept it out.

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
359-1001+  If your life is a hard drive,     |  13 Roberts Road +  Christ can be your backup.        |  Newtown Square,
Pennsylvania19073
 


Re: [PATCHES] Warning for missing createlang

From
Peter Eisentraut
Date:
Tom Lane writes:

> There are good security arguments not to have it in the default install,
> no?

I think last time the only reason we saw was that dump restoring would be
difficult.  I don't see any security reasons.

-- 
Peter Eisentraut   peter_e@gmx.net



Re: [PATCHES] Warning for missing createlang

From
Andrew Dunstan
Date:

Peter Eisentraut wrote:

>Tom Lane writes:
>
>  
>
>>There are good security arguments not to have it in the default install,
>>no?
>>    
>>
>
>I think last time the only reason we saw was that dump restoring would be
>difficult.  I don't see any security reasons.
>

That could be overcome by doing a 'drop language' before running your 
restore, couldn't it? Maybe it would also be useful for such cases to 
have a switches on initdb and pg_dump to inhibit creation of the language.

I did see a reference in the archives to a problem with heavy recursion 
as a possible security hole. I guess my answer to that would be that if 
you are worried about it you should drop the language, but I don't see 
this alone as a reason not to install it by default. After all, you 
don't need plpgsql to bring the system to its knees :-)

But maybe there's some other reason my search didn't find.

cheers

andrew




Re: [PATCHES] Warning for missing createlang

From
Tom Lane
Date:
Andrew Dunstan <andrew@dunslane.net> writes:
> I did see a reference in the archives to a problem with heavy recursion 
> as a possible security hole. I guess my answer to that would be that if 
> you are worried about it you should drop the language, but I don't see 
> this alone as a reason not to install it by default. After all, you 
> don't need plpgsql to bring the system to its knees :-)

Yeah, now that we allow recursion in SQL functions, you don't need a PL
language to overflow the stack.  So that particular argument is seeming
a bit weak.  Were there any other security arguments against making
plpgsql standard?

Inability to load existing pg_dump archives might be a bigger objection.
However, we could fix that if pg_restore were modified to not stop dead
in its tracks upon encountering an error.  IMHO that was a wrong choice
from the beginning ... pg_dump scripts don't act that way, and
pg_restore should not either.
        regards, tom lane


Re: [PATCHES] Warning for missing createlang

From
Hannu Krosing
Date:
Andrew Dunstan kirjutas L, 06.09.2003 kell 16:14:
> Peter Eisentraut wrote:
> 
> >Tom Lane writes:
> >
> >  
> >
> >>There are good security arguments not to have it in the default install,
> >>no?
> >>    
> >>
> >
> >I think last time the only reason we saw was that dump restoring would be
> >difficult.  I don't see any security reasons.
> >
> 
> That could be overcome by doing a 'drop language' before running your 
> restore, couldn't it?

or to have CREATE OR REPLACE LANGUAGE  (like we have for FUNCTIONS).

-------------------
Hannu