| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | David Fetter <david(at)fetter(dot)org> |
| Cc: | Thomas Hallgren <thhal(at)mailblocks(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Interpretation of TRUSTED |
| Date: | 2005-02-08 23:08:58 |
| Message-ID: | 10962.1107904138@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
David Fetter <david(at)fetter(dot)org> writes:
> On Tue, Feb 08, 2005 at 11:12:07PM +0100, Thomas Hallgren wrote:
>> Is it OK to design a trusted language so that it allows access to
>> the filesystem provided that the session user is a super-user?
> I believe that that is what UNTRUSTED languages are for. Only the
> super-user may create functions in them, although there is no inherent
> restriction on other users' calling those functions.
AFAICS, what Thomas proposes would be exactly equivalent to root running
scripts owned by non-root users --- in this case, if session user is
root then functions written by other people would be allowed to do
things they normally shouldn't be able to do. It strikes me as a great
loophole for Trojan-horse functions. Not that a sane superuser would
run functions controlled by other people in the first place.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Dunstan | 2005-02-08 23:21:31 | Re: Interpretation of TRUSTED |
| Previous Message | Thomas Hallgren | 2005-02-08 22:58:46 | Re: Interpretation of TRUSTED |