Re: Obfuscated stored procedures (was Re: Oracle and Postgresql)

From: Bill Moran <wmoran(at)collaborativefusion(dot)com>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: David Fetter <david(at)fetter(dot)org>, Greg Smith <gsmith(at)gregsmith(dot)com>, Jonathan Bond-Caron <jbondc(at)openmv(dot)com>, "'Postgres General List'" <pgsql-general(at)postgresql(dot)org>
Subject: Re: Obfuscated stored procedures (was Re: Oracle and Postgresql)
Date: 2008-09-16 12:40:45
Message-ID: 20080916084045.595ca9ee.wmoran@collaborativefusion.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general pgsql-www

In response to Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>:

> Bill Moran <wmoran(at)collaborativefusion(dot)com> writes:
> > What I'm _asking_ is why would extending SECURITY DEFINER to include
> > preventing unauthorized users from viewing code _not_ be a valid method
> > of securing the code.
>
> Because it's so full of obvious loopholes. Yes, it might slow down
> someone who didn't have superuser access to the database or root access
> to the machine it's on; but that doesn't count as secure really. The
> problem is that the people who ask for this type of feature are usually
> imagining that they can put their code on customer-controlled machines
> and it will be safe from the customer's eyes. Well, it isn't, and
> I don't think Postgres should encourage them to think it is.

Shame that. I can imagine it being a useful feature in certain situations
(such as a hosted environment), although I understand the concern.

Code obfuscation is the norm, though. The world at large still seems to
believe that compiling code make it secret, despite the fact that crooks
have demonstrated again and again that they're more than willing to read
through opcodes, and the fact that there are decompilers available for
just about every major compiled format.

--
Bill Moran
Collaborative Fusion Inc.
http://people.collaborativefusion.com/~wmoran/

wmoran(at)collaborativefusion(dot)com
Phone: 412-422-3463x4023

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Pau Marc Munoz Torres 2008-09-16 12:48:23 drop index
Previous Message Glyn Astill 2008-09-16 12:34:44 Index order

Browse pgsql-www by date

  From Date Subject
Next Message Glyn Astill 2008-09-16 13:15:00 Re: Obfuscated stored procedures (was Re: Oracle and Postgresql)
Previous Message Guido Barosio 2008-09-16 04:19:52 Fwd: 8FA9-8F0A-2C0E : REMINDER from pgsql-general