| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
| Cc: | pgsql-patches <pgsql-patches(at)postgresql(dot)org> |
| Subject: | Re: WIP: plpgsql source code obfuscation |
| Date: | 2008-04-07 02:14:01 |
| Message-ID: | 200804070214.m372E1R26880@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-patches |
Added to TODO:
o Add ability to obfuscate function bodies
http://archives.postgresql.org/pgsql-patches/2008-01/msg00125.php
---------------------------------------------------------------------------
Pavel Stehule wrote:
> Hello
>
> this patch define new function flag - OBFUSCATE. With this flag
> encrypted source code is stored to probin column. Password is stored
> in GUC_SUPERUSER_ONLY item - it is similar security like SQL Server
> does (where privileged users can access system tables with source code
> or can use debugger).
>
> ToDo: Dump
>
> Sample:
>
> postgres=# show obfuscator_password;
> obfuscator_password
> -----------------------
> moje supertajne heslo
> (1 row)
>
> postgres=# \x
> Expanded display is on.
> postgres=# create or replace function fx() returns int as $$begin
> return -1; end; $$ language plpgsql;
> CREATE FUNCTION
> postgres=# \df+ fx
> List of functions
> -[ RECORD 1 ]-------+-----------------------
> Schema | public
> Name | fx
> Result data type | integer
> Argument data types |
> Volatility | volatile
> Owner | bob
> Language | plpgsql
> Source code | begin return -1; end;
> Description |
>
> postgres=# ALTER FUNCTION fx() obfuscate;
> NOTICE: begin return -1; end;
> ALTER FUNCTION
> postgres=# \df+ fx
> List of functions
> -[ RECORD 1 ]-------+---------
> Schema | public
> Name | fx
> Result data type | integer
> Argument data types |
> Volatility | volatile
> Owner | bob
> Language | plpgsql
> Source code | -
> Description |
>
> postgres=# select fx();
> -[ RECORD 1 ]
> fx | -1
>
> postgres=# create or replace function fx() returns int as $$begin
> return -1; end; $$ language plpgsql obfuscate;
> CREATE FUNCTION
> postgres=# select fx();
> -[ RECORD 1 ]
> fx | -1
>
> postgres=# \df+ fx
> List of functions
> -[ RECORD 1 ]-------+---------
> Schema | public
> Name | fx
> Result data type | integer
> Argument data types |
> Volatility | volatile
> Owner | bob
> Language | plpgsql
> Source code | -
> Description |
>
> postgres=# select * from pg_proc where proname = 'fx';
> -[ RECORD 1 ]--+----------------------------------------------------------------------------
> proname | fx
> pronamespace | 2200
> proowner | 16385
> prolang | 16421
> procost | 100
> prorows | 0
> proisagg | f
> prosecdef | f
> proisstrict | f
> proretset | f
> provolatile | v
> pronargs | 0
> prorettype | 23
> proargtypes |
> proallargtypes |
> proargmodes |
> proargnames |
> prosrc | -
> probin |
> \231\003_\266\361\214}\231\240L/\020\232\036c\234\315P\236\266I\370\324\222
> proconfig |
> proacl |
>
>
> [pavel(at)okbob-bb ~]$ psql -U bob postgres
> Welcome to psql 8.3RC2, the PostgreSQL interactive terminal.
>
> Type: \copyright for distribution terms
> \h for help with SQL commands
> \? for help with psql commands
> \g or terminate with semicolon to execute query
> \q to quit
>
> postgres=> \x
> Expanded display is on.
> postgres=> show obfuscator_password;
> ERROR: must be superuser to examine "obfuscator_password"
> postgres=> select fx();
> -[ RECORD 1 ]
> fx | -1
>
> postgres=> \df+ fx
> List of functions
> -[ RECORD 1 ]-------+---------
> Schema | public
> Name | fx
> Result data type | integer
> Argument data types |
> Volatility | volatile
> Owner | bob
> Language | plpgsql
> Source code | -
> Description |
>
> postgres=> select * from pg_proc where proname = 'fx';
> -[ RECORD 1 ]--+----------------------------------------------------------------------------
> proname | fx
> pronamespace | 2200
> proowner | 16385
> prolang | 16421
> procost | 100
> prorows | 0
> proisagg | f
> prosecdef | f
> proisstrict | f
> proretset | f
> provolatile | v
> pronargs | 0
> prorettype | 23
> proargtypes |
> proallargtypes |
> proargmodes |
> proargnames |
> prosrc | -
> probin |
> \231\003_\266\361\214}\231\240L/\020\232\036c\234\315P\236\266I\370\324\222
> proconfig |
> proacl |
[ Attachment, skipping... ]
>
> ---------------------------(end of broadcast)---------------------------
> TIP 2: Don't 'kill -9' the postmaster
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Joshua D. Drake | 2008-04-07 04:59:05 | Re: WIP: plpgsql source code obfuscation |
| Previous Message | Gregory Stark | 2008-04-06 22:29:50 | Re: Database owner installable modules patch |