Re: Add on_trusted_init and on_untrusted_init to plperl UPDATED [PATCH]

On Wed, Feb 3, 2010 at 00:46, Alex Hunsaker <badalex(at)gmail(dot)com> wrote:
> On Tue, Feb 2, 2010 at 22:50, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> Alex Hunsaker <badalex(at)gmail(dot)com> writes:
>>> On Tue, Feb 2, 2010 at 21:38, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>>>> Alex Hunsaker <badalex(at)gmail(dot)com> writes:
>>>>> Yeah the both is gross.  How about:
>>>>> plperl.on_plperl_init
>>>>> plperl.on_plperlu_init
>>>>> plperl.on_init ?
>
>>> Well its already in.
>>
>> Well *that's* easily fixed.  I think it's a bad idea, because it's
>> unclear what you should put there and what the security implications
>> are.
>
>  I can't speak for its virtue, maybe Tim, Andrew?

Ahh I think i figured it out.

plperl.on_trusted_init runs *inside* of the safe. So you cant do
unsafe things like use this or that module. plperl.on_init runs on
init *outside* of the safe so you can use modules and what not. So now
I can use say Digest::SHA without tossing the baby out with the bath
water (just using plperlu). Gaping security whole? Maybe, no more so
than installing an insecure C/plperlu function as you have to edit
postgresql.conf to change it. Right?

Maybe we should have:
plperl.on_plperl_safe_init (runs inside of the safe, PGC_USERSET)
plperl.on_plperl_init (runs outside safe, PGC_SUSET)
plperl.on_plpleru_init (PGC_SUSET)

All of the above have no SPI/database access.

I think we can gt away with PGC_USERSET on safe_init as it wont allow
you to do anything "scary" like play with security definer functions
or redefine functions etc... There does seem to be the risk that I
may not have plperl GRANTed but I can make any plperl function
elog(ERROR) as long as they have not loaded plperl via a
plperl_safe_init. We can probably fix that if people think its a
valid dos/attack vector.

Comments?