Re: For review: Server instrumentation patch

"Magnus Hagander" <mha(at)sollentuna(dot)net> writes:
> Bottom line: If somebody hacks your superuser, you've lost your
> database. If your database service user has write access to sensitive
> areas, or if you later log in as root (or whatever) and execute any
> files that the database service user has write access to, you've lost
> your box. This holds true with or without the patch.

Nonetheless, the patch makes it vastly easier for an attacker to do bad
things, and vastly harder for an admin to try to lock down the database
adequately. For instance, the question of .so security can be attacked
by not installing any .so's that you don't want used; likewise a contrib
file-access module can be left off the system if it's considered a
hazard. But if the functionality is part of the core database then it's
exceedingly difficult for someone who doesn't want it to get rid of it.
(I believe that you'd actually have to recompile the server with the
dangerous functions removed; just deleting their pg_proc entries doesn't
stop someone from recreating those entries.)

Saying "we don't need to lock this down because there are other possible
attacks" is about like leaving your front door open because you know
that a determined burglar could get in by breaking a window. You may
or may not want to install steel bars over the windows, but that's no
argument for leaving the door open.

regards, tom lane