On Wed, Feb 3, 2010 at 00:46, Alex Hunsaker <badalex(at)gmail(dot)com> wrote:
> On Tue, Feb 2, 2010 at 22:50, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> Alex Hunsaker <badalex(at)gmail(dot)com> writes:
>>> On Tue, Feb 2, 2010 at 21:38, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>>>> Alex Hunsaker <badalex(at)gmail(dot)com> writes:
>>>>> Yeah the both is gross. How about:
>>>>> plperl.on_init ?
>>> Well its already in.
>> Well *that's* easily fixed. I think it's a bad idea, because it's
>> unclear what you should put there and what the security implications
> I can't speak for its virtue, maybe Tim, Andrew?
Ahh I think i figured it out.
plperl.on_trusted_init runs *inside* of the safe. So you cant do
unsafe things like use this or that module. plperl.on_init runs on
init *outside* of the safe so you can use modules and what not. So now
I can use say Digest::SHA without tossing the baby out with the bath
water (just using plperlu). Gaping security whole? Maybe, no more so
than installing an insecure C/plperlu function as you have to edit
postgresql.conf to change it. Right?
Maybe we should have:
plperl.on_plperl_safe_init (runs inside of the safe, PGC_USERSET)
plperl.on_plperl_init (runs outside safe, PGC_SUSET)
All of the above have no SPI/database access.
I think we can gt away with PGC_USERSET on safe_init as it wont allow
you to do anything "scary" like play with security definer functions
or redefine functions etc... There does seem to be the risk that I
may not have plperl GRANTed but I can make any plperl function
elog(ERROR) as long as they have not loaded plperl via a
plperl_safe_init. We can probably fix that if people think its a
valid dos/attack vector.
In response to
pgsql-hackers by date
|Next:||From: Fujii Masao||Date: 2010-02-03 08:19:46|
|Subject: Streaming replication and message type header|
|Previous:||From: Alex Hunsaker||Date: 2010-02-03 07:46:38|
|Subject: Re: Add on_trusted_init and on_untrusted_init to plperl UPDATED [PATCH]|