Expect problems with PL/Python and Python version 2.2.3+ & 2.3+

From: Sean Reifschneider <jafo(at)tummy(dot)com>
To: pgsql-hackers(at)postgresql(dot)org
Cc: guido(at)python(dot)org
Subject: Expect problems with PL/Python and Python version 2.2.3+ & 2.3+
Date: 2003-05-25 22:48:33
Message-ID: 20030525224833.GO31407@tummy.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

My understanding (from the documentation and from a quick code check is
that the PL/Python code uses Python's "rexec" ability to provide a
restricted execution environment for the Python code.

For those unfamiliar with it, rexec provides a restricted execution
environment, limiting access to certain Python and system routines.

This functionality is being deprecated in Python, due to security
problems and lack of maintainership to resolve them... Python 2.2.3
will ship next Friday with rexec disabled, and Python version 2.3 should
be out in about a month and will also not have rexec.

The first issue to note is that currently rexec does have some security
problems which mean that enabling pl/python may cause users to gain
access to the system as the user PostgreSQL is running as. I'm not very
familiar with these problems, just that there are some...

It may be appropriate to just remove the rexec, with the result being
that PL/Python code will be able to have access to basically anything on
the system as the user PostgreSQL is running as.

So, heads up... 2.2.3 and 2.3 and later versions of Python will
probably not work with PostgreSQL and PL/Python.

Sean
--
Brooks's Law of Prototypes: Plan to throw one away, you will anyhow.
Sean Reifschneider, Inimitably Superfluous <jafo(at)tummy(dot)com>
tummy.com, ltd. - Linux Consulting since 1995. Qmail, Python, SysAdmin
Back off man. I'm a scientist. http://HackingSociety.org/

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Michael Brusser 2003-05-25 22:55:38 Re: vacuum analyze corrupts database
Previous Message Hans-Jürgen Schönig 2003-05-25 19:37:11 SAP and MySQL ...