Skip site navigation (1) Skip section navigation (2)

Re: Security hole in PL/pgSQL

From: Jan Wieck <janwieck(at)Yahoo(dot)com>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Jan Wieck <janwieck(at)Yahoo(dot)com>, PostgreSQL HACKERS <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Security hole in PL/pgSQL
Date: 2001-01-29 16:29:31
Message-ID: 200101291629.LAA03679@jupiter.greatbridge.com (view raw or flat)
Thread:
Lists: pgsql-hackers
Tom Lane wrote:
> Jan Wieck <janwieck(at)Yahoo(dot)com> writes:
> >     the  new  EXECUTE  command  in  PL/pgSQL  is a security hole.
> >     PL/pgSQL is  a  trusted  procedural  language,  meaning  that
> >     regular  users  can  write  code  in it. With the new EXECUTE
> >     command, someone could read and write arbitrary  files  under
> >     the postgres UNIX-userid using the COPY command.
>
> Huh?  This would only be true if all operations inside plpgsql are
> executed as superuser, which they are not.  Seems to me the existing
> defense against non-superuser using COPY is sufficient.

Phew,

    you  save  my day. I should better think twice before ringing
    the alarm bell :-)


Jan

--

#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me.                                  #
#================================================== JanWieck(at)Yahoo(dot)com #



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


In response to

pgsql-hackers by date

Next:From: Bruce MomjianDate: 2001-01-29 16:30:39
Subject: Re: Can PyGreSQL be updated?
Previous:From: Vince VielhaberDate: 2001-01-29 16:21:38
Subject: Shouldn't this be an error?

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group