| From: | "Merlin Moncure" <mmoncure(at)gmail(dot)com> |
|---|---|
| To: | "Neil Conway" <neilc(at)samurai(dot)com> |
| Cc: | "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "David Fetter" <david(at)fetter(dot)org>, "Jim C(dot) Nasby" <jnasby(at)pervasive(dot)com>, "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>, andrew(at)supernews(dot)com, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: plpgsql by default |
| Date: | 2006-04-12 16:22:03 |
| Message-ID: | b42b73150604120922n1d6dac1dgba92e193aee9421f@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 4/11/06, Neil Conway <neilc(at)samurai(dot)com> wrote:
> On Tue, 2006-04-11 at 17:20 -0400, Tom Lane wrote:
> > No, I'm saying that having access to a PL renders certain classes of
> > attacks significantly more efficient. A determined attacker with
> > unlimited time may not care, but in the real world, security is
> > relative.
>
> That's a fair point.
>
> Perhaps a compromise would be to enable pl/pgsql by default, but not
> grant the USAGE privilege on it. This would allow superusers to define
+1 (+10 if I could, and I'm doing my best not to pontificate about security)
merlin
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Greg Sabino Mullane | 2006-04-12 16:22:15 | Re: Get explain output of postgresql in Tables |
| Previous Message | Martijn van Oosterhout | 2006-04-12 16:15:09 | Re: Practical impediment to supporting multiple SSL libraries |