| From: | Stuart Bishop <stuart(at)stuartbishop(dot)net> |
|---|---|
| To: | Alexandre da Silva <simpsomboy(at)gmail(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: plpythonu |
| Date: | 2008-01-18 13:48:43 |
| Message-ID: | 4790AE3B.8040602@stuartbishop.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Alexandre da Silva wrote:
> Hello,
> someone can tell me if is secure to create external python modules and
> import them to functions/procedures/triggers to use?
Its fine as long as you trust the users with write access to your PYTHONP=
ATH.
> Another question is that I have read in some discussion list (old
> message year 2003) the possibility of plpython be removed from
> postgresql, this information is valid yet?
plpython !=3D plpythonu.
plpython was the 'secure' sandboxed version. The Python devs gave up
supporting any sort of sandboxing feature in Python declaring it impossib=
le.
plpythonu is unrestricted, so if you have the ability to create plpythonu=
stored procedures you effectively have full filesystem access on your
database server as the user your database is running as. So don't put
open('/etc/passwd','w') in your plpythonu code.
--=20
Stuart Bishop <stuart(at)stuartbishop(dot)net>
http://www.stuartbishop.net/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stefan Schwarzer | 2008-01-18 14:01:02 | Re: Forgot to dump old data before re-installing machine |
| Previous Message | Dave Page | 2008-01-18 13:39:56 | Re: Forgot to dump old data before re-installing machine |