From: | Bruce Momjian <bruce(at)momjian(dot)us> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Nathan Bossart <nathandbossart(at)gmail(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: allow building trusted languages without the untrusted versions |
Date: | 2022-05-25 01:34:33 |
Message-ID: | Yo2HqS2gs1vwKa0s@momjian.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Tue, May 24, 2022 at 09:19:40PM -0400, Tom Lane wrote:
> Bruce Momjian <bruce(at)momjian(dot)us> writes:
> > I always thought if pg_proc is able to call an arbitrary function in an
> > arbitrary library, it could access to the file system, and if that is
> > true, locking the super-user from file system access seems impossible
> > and unwise to try because it would give a false sense of security.
>
> That was the situation when we had v0 function call semantics. ISTM
> we are at least a lot closer now to being able to say it's locked down:
> "internal" functions can only reach things that are in the fmgrtab
> table, and "C" functions can only reach things that have associated
> PG_FUNCTION_INFO_V1 symbols. Plus we won't load shared libraries
> that don't have PG_MODULE_MAGIC blocks. Maybe there's still a way
> around all that, but it's sure a lot less obvious than it once was,
> and there are probably things we could do to make it even harder.
Okay, good to know.
> I think would-be hackers are now reduced to doing what Robert
> suggested, which is trying to find a way to subvert a validly
> SQL-callable function by passing it bogus arguments. Maybe there's
> a way to gain filesystem access by doing that, but it's not going
> to be easy if the function is not one that intended to allow such
> operations.
Yes, I think if we can say we are safe in standard superuser-changeable
things like modifying the system tables, we might have a chance. Are
settings like archive_command safe?
--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com
Indecision is a decision. Inaction is an action. Mark Batterson
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2022-05-25 01:35:19 | Re: Limiting memory allocation |
Previous Message | Justin Pryzby | 2022-05-25 01:32:48 | doc phrase: "inheritance child" |