Tom Lane wrote:
> Jan Wieck <janwieck(at)Yahoo(dot)com> writes:
> > the new EXECUTE command in PL/pgSQL is a security hole.
> > PL/pgSQL is a trusted procedural language, meaning that
> > regular users can write code in it. With the new EXECUTE
> > command, someone could read and write arbitrary files under
> > the postgres UNIX-userid using the COPY command.
> Huh? This would only be true if all operations inside plpgsql are
> executed as superuser, which they are not. Seems to me the existing
> defense against non-superuser using COPY is sufficient.
you save my day. I should better think twice before ringing
the alarm bell :-)
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me. #
#================================================== JanWieck(at)Yahoo(dot)com #
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
In response to
pgsql-hackers by date
|Next:||From: Bruce Momjian||Date: 2001-01-29 16:30:39|
|Subject: Re: Can PyGreSQL be updated?|
|Previous:||From: Vince Vielhaber||Date: 2001-01-29 16:21:38|
|Subject: Shouldn't this be an error?|