Re: untrusted languages and non-global superusers?

From: Tino Wildenhain <tino(at)wildenhain(dot)de>
To: CSN <cool_screen_name90001(at)yahoo(dot)com>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-general(at)postgresql(dot)org
Subject: Re: untrusted languages and non-global superusers?
Date: 2005-08-04 07:15:17
Message-ID: 1123139718.15416.12.camel@sabrina.peacock.de
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Am Mittwoch, den 03.08.2005, 21:29 -0700 schrieb CSN:
>
> --- Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
> > CSN <cool_screen_name90001(at)yahoo(dot)com> writes:
> > > I'm using plphpu and I'd like to allow the regular
> > > database user to use it, but since it's
> > "untrusted" it
> > > requires users to be superusers. If I have to do
> > this,
> > > I don't want the user to be a superuser for all
> > > databases. Is it possible to grant superuser
> > status to
> > > a user for a specific database?
> >
> > Exactly how would you prevent him from converting
> > that into global
> > access? Especially if you're going to give him use
> > of an untrusted
> > language? He could easily rewrite any configuration
> > file you might
> > think is going to lock him out of your other
> > databases.
>
> You lost me - how is any of that possible?

untrusted languages run in the context of the database
and have full access to the filesystem. In short, you
can do anything with them your database can do + a lot more.

> >
> > > (The function uses mail(), so IIRC that
> > necessitates
> > > using plphpu).
> >
> > Sending mail from a database function (or doing
> > anything else that
> > involves external side-effects) is generally A Bad
> > Idea, for reasons
> > that have been covered many times in the list
> > archives.
>
> Why, exactly? In this situation I just set up a
> trigger that sends a welcome email to newly inserted
> members. Very convenient.

Why cant your application handle this?
Otoh, why dont you provide a function to send mail,
which takes some parameters and just let your users
use them? No need for everybody to write her own
mail function.

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message CSN 2005-08-04 08:35:47 Re: untrusted languages and non-global superusers?
Previous Message Supiah Mustaffa 2005-08-04 04:39:40 Tsearch2 doesn't work