Re: plpgsql by default

On Tue, Apr 11, 2006 at 05:20:02PM -0400, Tom Lane wrote:
> David Fetter <david(at)fetter(dot)org> writes:
> > I don't get your not getting this 'cause you're a very smart guy.
> > Are you under the impression that an attacker will stop because he
> > has to try a few times?
>
> No, I'm saying that having access to a PL renders certain classes of
> attacks significantly more efficient. A determined attacker with
> unlimited time may not care, but in the real world, security is
> relative. You don't have to make yourself an impenetrable target,
> only a harder target than the next IP address --- or at least hard
> enough that the attacker's likely to get noticed before he's
> succeeded. (And certainly, doing anything compute-intensive via
> recursive SQL functions is not the way to go unnoticed.)
>
> In the end it's only one small component of security, but any
> security expert will tell you that you take all the layers of
> security that you can get. If you don't need a given bit of
> functionality, it shouldn't get installed.

As others have mentioned, and I will reiterate here:

1. Anyone who imagines that PL/PgSQL presents a bigger or more
vulnerable attack surface can remove it via DROP LANGUAGE.

2. Anybody who wants to do harm inside the database can do it to
arbitrary levels of damage in SQL with RULEs, recursive functions,
set-returning functions, etc.

Cheers,
D
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
phone: +1 415 235 3778 AIM: dfetter666
Skype: davidfetter

Remember to vote!