Skip site navigation (1) Skip section navigation (2)

Re: pl/perl and security

From: Jan Wieck <janwieck(at)Yahoo(dot)com>
To: CMVV <cmvilaverde(at)mail(dot)telepac(dot)pt>
Cc: pgsql-interfaces(at)postgreSQL(dot)org
Subject: Re: pl/perl and security
Date: 2001-02-08 12:10:08
Message-ID: 200102081210.HAA03543@jupiter.greatbridge.com (view raw or flat)
Thread:
Lists: pgsql-interfaces
CMVV wrote:
> Hi,
>
> I have discovered that in pl/perl we cannot make use of file handling.
> The README file in ../pl/plperl give us an hint with an example of a
> badfunc().
> What are the security reasons to do so, since with postgresql extensions
> (functions) written in C language we can do anything with flat files ?
> Can this security issue with pl/perl be overrided ?
> If so, how can i hack it ?
> It will be so nice to manage files from server-based functions written in
> pl/perl.
> Thanx

    The  security  issue  is  that  PL/Perl  is  designed to be a
    trusted procedural language. Meaning, any  unprivileged  user
    can create functions in it. Having file access, which is done
    under the UNIX-userid running  the  postmaster  process,  any
    user could modify your pg_hba.conf ...

    The  same  applies for PL/Tcl, why there will be an untrusted
    PL/TclU in 7.1, where only DB superusers can define functions
    in it.

    I'm not a Perl guy, but AFAIK you can modify the command mask
    used for the perl interpreter in the PL handler. But be  sure
    to restrict your patched version of PL/Perl to superusers, or
    accept that you created a big security hole.


Jan

--

#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me.                                  #
#================================================== JanWieck(at)Yahoo(dot)com #



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


In response to

pgsql-interfaces by date

Next:From: Jan WieckDate: 2001-02-08 12:50:01
Subject: Re: Re: Postgres and Oracle differences and questions
Previous:From: Tom LaneDate: 2001-02-08 00:38:51
Subject: Re: 7.1 beta 4 ODBC Connection Problem

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group