Re: PlPython

From: elein <elein(at)varlena(dot)com>
To: "scott(dot)marlowe" <scott(dot)marlowe(at)ihs(dot)com>
Cc: <pgsql-general(at)postgresql(dot)org>
Subject: Re: PlPython
Date: 2003-06-27 23:40:53
Message-ID: 200306271640.53317.elein@varlena.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general pgsql-hackers


Yes, I understand. (And the dev docs look pretty darn good)

I was just wondering if postgresql had a language independent
definitive list of "dangerous" functionality, but it seems
that the trusted-ness implementation is pretty language specific.

Just for general knowledge, with python 2.1.1, I was able to
import the following documented as "forbidden" modules.
I have only used "string" so I do NOT assume that enabling
import means that they all work. (more testing...)

array bisect binascii calendar cmath errno
marshal math md5 operator pcre pickle
random re regex sha StringIO struct
time whrandom string

The following modules from the forbidden
list caused import errors as expected:
zlib, codecs, mpz

I'll do some more testing and submit a more complete
doc patch if I can squeeze in the time. Or if someone
else wants to help let me know.

elein(at)varlena(dot)com

On Friday 27 June 2003 15:15, scott.marlowe wrote:
> C is god. I.e. C functions run as the same user as the postmaster, and
> can do anything they want, and it takes a superuser to install functions
> written in it.
>
> The following are (were...?) trusted languages in 7.3.3:
>
> plpgsql
> pltcl
> plpython
> plsql (built in)
>
> These are the untrusted languages in 7.3.3:
>
> pltclu
> plperlu
> C functions
>
> A trusted language is basically one that lives in a box that won't let it
> do dangerous things like write files, call system calls as the postgres
> super user etc...
>
> Explanation (still in need of editing for the final release of 7.4) are
> here:
>
> http://developer.postgresql.org/docs/postgres/xplang.html
>
> On Fri, 27 Jun 2003, elein wrote:
>
> >
> >
> > Perhaps this should be asked on the interfaces list, but...
> > Exactly what functions are prohibited (or acceptable)
> > for a pl language in PostgreSQL to become trusted?
> >
> > Is the exact criteria list documented somewhere?
> >
> > Since C is wide open, why is it considered trusted,
> > or is it? Or are some C calls disallowed by the
> > function manager (this was what we did at informix,
> > we also enforced permissions carefully (after showing
> > how easy it was to break things :-) ).
> >
> > My guess of the list would be:
> > 1. No or a restricted set of OS calls
> > (what would be the restricted set?
> > The set Keith removed?)
> > 2. No file system operations or strongly
> > enforced permissions on file system operations.
> >
> > Elein
> >
> > On Thursday 26 June 2003 11:48, Karsten Hilbert wrote:
> > > >>Now that the rexec code is gone, it MUST be marked untrusted --- this is
> > > >>not a question for debate. Installing it as trusted would be a security
> > > >>hole.
> > > >
> > > > That means that there is something else untrusted in PLPython,
> > > > what is this?
> > > Well, basically everything else.
> > >
> > > You are getting this backwards. Making Python a *trusted*
> > > language *requires* something like rexec. Since we don't have
> > > rexec anymore (it never was much good, apparently) we cannot
> > > make Python trusted. Hence we must make it untrusted to keep
> > > it in at all.
> > >
> > > The point here is not whether we trust the rest of Python but
> > > whether we have something (like rexec) that restricts the
> > > standard Python. Only if we have that do we define a language
> > > as "trusted".
> > >
> > > Things would be different, of course, if an entire language
> > > was restricted by nature. That would be a candidate for a
> > > trusted language without needing specific add-on execution
> > > restriction.
> > >
> > > Karsten
> > > --
> > > GPG key ID E4071346 @ wwwkeys.pgp.net
> > > E167 67FD A291 2BEA 73BD 4537 78B9 A9F9 E407 1346
> > >
> > > ---------------------------(end of broadcast)---------------------------
> > > TIP 2: you can get off all lists at once with the unregister command
> > > (send "unregister YourEmailAddressHere" to majordomo(at)postgresql(dot)org)
> > >
> > >
> >
> >
>
>

--
=============================================================
elein(at)varlena(dot)com Database Consulting www.varlena.com
PostgreSQL General Bits http:/www.varlena.com/GeneralBits/
"Free your mind the rest will follow" -- en vogue

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Doug McNaught 2003-06-27 23:44:14 Re: Redhat's "enhancements" to PG
Previous Message Karsten Hilbert 2003-06-27 23:36:30 Re: INSERT WHERE NOT EXISTS

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2003-06-28 00:18:35 Re: Possible mistake in new array syntax
Previous Message Bruce Momjian 2003-06-27 23:15:14 Assembler error