Skip site navigation (1) Skip section navigation (2)

Re: Add on_trusted_init and on_untrusted_init to plperl UPDATED [PATCH]

From: Alex Hunsaker <badalex(at)gmail(dot)com>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, Tim Bunce <Tim(dot)Bunce(at)pobox(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Add on_trusted_init and on_untrusted_init to plperl UPDATED [PATCH]
Date: 2010-02-03 08:06:03
Message-ID: 34d269d41002030006k17c9db72pc72bc38d57219bb9@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-hackers
On Wed, Feb 3, 2010 at 00:46, Alex Hunsaker <badalex(at)gmail(dot)com> wrote:
> On Tue, Feb 2, 2010 at 22:50, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> Alex Hunsaker <badalex(at)gmail(dot)com> writes:
>>> On Tue, Feb 2, 2010 at 21:38, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>>>> Alex Hunsaker <badalex(at)gmail(dot)com> writes:
>>>>> Yeah the both is gross.  How about:
>>>>> plperl.on_plperl_init
>>>>> plperl.on_plperlu_init
>>>>> plperl.on_init ?
>
>>> Well its already in.
>>
>> Well *that's* easily fixed.  I think it's a bad idea, because it's
>> unclear what you should put there and what the security implications
>> are.
>
>  I can't speak for its virtue, maybe Tim, Andrew?

Ahh I think i figured it out.

plperl.on_trusted_init runs *inside* of the safe.  So you cant do
unsafe things like use this or that module.  plperl.on_init runs on
init *outside* of the safe so you can use modules and what not. So now
I can use say Digest::SHA without tossing the baby out with the bath
water (just using plperlu). Gaping security whole? Maybe, no more so
than installing an insecure C/plperlu function as you have to edit
postgresql.conf to change it.  Right?

Maybe we should have:
plperl.on_plperl_safe_init (runs inside of the safe, PGC_USERSET)
plperl.on_plperl_init (runs outside safe, PGC_SUSET)
plperl.on_plpleru_init (PGC_SUSET)

All of the above have no SPI/database access.

I think we can gt away with PGC_USERSET on safe_init as it wont allow
you to do anything "scary" like play with security definer functions
or redefine functions etc...  There does seem to be the risk that I
may not have plperl GRANTed but I can make any plperl function
elog(ERROR) as long as they have not loaded plperl via a
plperl_safe_init.  We can probably fix that if people think its a
valid dos/attack vector.

Comments?

In response to

Responses

pgsql-hackers by date

Next:From: Fujii MasaoDate: 2010-02-03 08:19:46
Subject: Streaming replication and message type header
Previous:From: Alex HunsakerDate: 2010-02-03 07:46:38
Subject: Re: Add on_trusted_init and on_untrusted_init to plperl UPDATED [PATCH]

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group