Skip site navigation (1) Skip section navigation (2)

Re: Security hole in PL/pgSQL

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Jan Wieck <janwieck(at)Yahoo(dot)com>
Cc: PostgreSQL HACKERS <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Security hole in PL/pgSQL
Date: 2001-01-29 15:57:01
Message-ID: 24638.980783821@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-hackers
Jan Wieck <janwieck(at)Yahoo(dot)com> writes:
>     the  new  EXECUTE  command  in  PL/pgSQL  is a security hole.
>     PL/pgSQL is  a  trusted  procedural  language,  meaning  that
>     regular  users  can  write  code  in it. With the new EXECUTE
>     command, someone could read and write arbitrary  files  under
>     the postgres UNIX-userid using the COPY command.

Huh?  This would only be true if all operations inside plpgsql are
executed as superuser, which they are not.  Seems to me the existing
defense against non-superuser using COPY is sufficient.

			regards, tom lane

In response to

Responses

pgsql-hackers by date

Next:From: KuroiNekoDate: 2001-01-29 16:01:02
Subject: Re: Security hole in PL/pgSQL
Previous:From: Tom LaneDate: 2001-01-29 15:51:30
Subject: Re: [ANNOUNCE] PostgreSQL v7.1BETA4 Bundled and Available ...

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group