Re: Can we still trust plperl?

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Andrew Dunstan <andrew(at)dunslane(dot)net>
Cc: PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Tim Bunce <Tim(dot)Bunce(at)pobox(dot)com>
Subject: Re: Can we still trust plperl?
Date: 2010-03-11 14:56:35
Message-ID: 20087.1268319395@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
> Last night my attention was drawn to this:

> <http://search.cpan.org/~timb/PostgreSQL-PLPerl-Injector-1.002/lib/PostgreSQL/PLPerl/Injector.pm>

> I'm wondering if we can reasonably continue to support plperl as a
> trusted language, or at least redefine what "trusted" actually means.
> Does it mean "can't do untrusted operations" or does it mean "can't do
> untrusted operations unless the DBA and/or possibly the user decide to
> subvert the mechanism"? To me, the latter doesn't sound much like it's
> worth having. Is it?

AFAICS the DBA has to participate in setting up that module, so it's
no different from any other PL language. You can insert stuff into the
trusted interpreter in pltcl too. It's on the DBA's head to not insert
stuff that's insecure --- so what? To my mind it's a feature not a
bug that this is possible. It's just like the on_init work that you've
been doing; it's about letting the DBA have control over what users of
the trusted language can get at.

What bothers me more is the fact that genuine holes are beginning to
show up in Safe. I wonder if we aren't seeing the first stages of what
happened to trusted plpython. Building a secure sandbox feature into
a language that wasn't designed for it is hard. However, I'm not going
to panic until there's reason for panic, and this doesn't look like a
reason.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2010-03-11 14:59:41 Re: Server crash with older tzload library
Previous Message Robert Haas 2010-03-11 14:55:57 Re: renameatt() can rename attribute of index, sequence, ...