Re: [HACKERS] What about CREATE OR REPLACE FUNCTION?

From: Peter Eisentraut <peter_e(at)gmx(dot)net>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Jean-Michel POURE <jm(dot)poure(at)freesurf(dot)fr>, <pgsql-hackers(at)postgresql(dot)org>, Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>, <pgadmin-hackers(at)postgresql(dot)org>
Subject: Re: [HACKERS] What about CREATE OR REPLACE FUNCTION?
Date: 2001-10-09 22:36:24
Message-ID: Pine.LNX.4.30.0110092056560.672-100000@peter.localdomain
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgadmin-hackers pgsql-hackers

Tom Lane writes:

> I believe the primary reason why PL languages aren't installed by
> default is security considerations

Well, that argumentation seems to be analogous to giving someone login
access on a multiuser computer system but not letting him execute, say,
perl because he might write recursive functions with it. Such setups
exist (perhaps with something else instead of perl and recursive
functions) but they are not the norm and usually fine-tuned by the
administrator.

We have realized time and time again that giving someone access to a
PostgreSQL server is already a security risk. Any person can easily crash
the server (select cash_out(2) is prominently documented as doing that) or
exhaust time and space resources by writing appropriate queries.
Privilege systems do not guard against that. Privilege systems are for
guarding against a reasonable user "cheating".

Now, if a procedural language is not safe (at least as safe as the rest of
the system that's accessible to an ordinary user), then it shouldn't be
marked "trusted". Otherwise, the consequence of this chain of arguments
is that createlang selectively introduces a security whole into your
system. Of course, we may warn, "Be careful when installing procedural
languages, because ...". But are users going to be careful? How do they
know what kind of care to exercise, and just *how* to do that?

No, I don't think this is the ideal situation. I don't want to press for
changing it right now because I'm not particularly bothered by it, and the
second sentence of the previous paragraph might just be true. In a future
life, a privilege system should give finer grained control about access to
PLs, but we might want to think about what the default should be.

--
Peter Eisentraut peter_e(at)gmx(dot)net http://funkturm.homeip.net/~peter

In response to

Responses

Browse pgadmin-hackers by date

  From Date Subject
Next Message Christopher Kings-Lynne 2001-10-10 01:57:10 Re: [HACKERS] What about CREATE OR REPLACE FUNCTION?
Previous Message Tom Lane 2001-10-09 17:27:41 Re: [HACKERS] What about CREATE OR REPLACE FUNCTION?

Browse pgsql-hackers by date

  From Date Subject
Next Message Tatsuo Ishii 2001-10-10 01:12:01 Re: [HACKERS] Unicode combining characters
Previous Message Peter Eisentraut 2001-10-09 22:35:25 EXTRACT broken