Stephen Frost <sfrost(at)snowman(dot)net> writes:
> If you want to secure your system against a superuser()-level intrusion
> then you need to secure the unix account, or disable creation of
> C-language and other untrusted languages (at least).
Very likely --- which is why Magnus' idea of an explicit switch to
prevent superuser filesystem access seems attractive to me. It'd
have to turn off LOAD and creation of new C functions as well as COPY
and the other stuff we discussed.
However, once again, the availability of security hole A does not
justify creating security hole B. For example, even with creation
of new C functions disabled, a superuser attacker might be able to use a
file-write function to overwrite an existing .so and thereby subvert an
existing C-function definition to do something bad.
regards, tom lane
In response to
pgsql-hackers by date
|Next:||From: Bruce Momjian||Date: 2005-07-25 15:16:42|
|Subject: Re: regression failure on stats test|
|Previous:||From: Magnus Hagander||Date: 2005-07-25 14:54:54|
|Subject: Re: For review: Server instrumentation patch |