Re: PlPython

C is god. I.e. C functions run as the same user as the postmaster, and
can do anything they want, and it takes a superuser to install functions
written in it.

The following are (were...?) trusted languages in 7.3.3:

plpgsql
pltcl
plpython
plsql (built in)

These are the untrusted languages in 7.3.3:

pltclu
plperlu
C functions

A trusted language is basically one that lives in a box that won't let it
do dangerous things like write files, call system calls as the postgres
super user etc...

Explanation (still in need of editing for the final release of 7.4) are
here:

http://developer.postgresql.org/docs/postgres/xplang.html

On Fri, 27 Jun 2003, elein wrote:

>
>
> Perhaps this should be asked on the interfaces list, but...
> Exactly what functions are prohibited (or acceptable)
> for a pl language in PostgreSQL to become trusted?
>
> Is the exact criteria list documented somewhere?
>
> Since C is wide open, why is it considered trusted,
> or is it? Or are some C calls disallowed by the
> function manager (this was what we did at informix,
> we also enforced permissions carefully (after showing
> how easy it was to break things :-) ).
>
> My guess of the list would be:
> 1. No or a restricted set of OS calls
> (what would be the restricted set?
> The set Keith removed?)
> 2. No file system operations or strongly
> enforced permissions on file system operations.
>
> Elein
>
> On Thursday 26 June 2003 11:48, Karsten Hilbert wrote:
> > >>Now that the rexec code is gone, it MUST be marked untrusted --- this is
> > >>not a question for debate. Installing it as trusted would be a security
> > >>hole.
> > >
> > > That means that there is something else untrusted in PLPython,
> > > what is this?
> > Well, basically everything else.
> >
> > You are getting this backwards. Making Python a *trusted*
> > language *requires* something like rexec. Since we don't have
> > rexec anymore (it never was much good, apparently) we cannot
> > make Python trusted. Hence we must make it untrusted to keep
> > it in at all.
> >
> > The point here is not whether we trust the rest of Python but
> > whether we have something (like rexec) that restricts the
> > standard Python. Only if we have that do we define a language
> > as "trusted".
> >
> > Things would be different, of course, if an entire language
> > was restricted by nature. That would be a candidate for a
> > trusted language without needing specific add-on execution
> > restriction.
> >
> > Karsten
> > --
> > GPG key ID E4071346 @ wwwkeys.pgp.net
> > E167 67FD A291 2BEA 73BD 4537 78B9 A9F9 E407 1346
> >
> > ---------------------------(end of broadcast)---------------------------
> > TIP 2: you can get off all lists at once with the unregister command
> > (send "unregister YourEmailAddressHere" to majordomo(at)postgresql(dot)org)
> >
> >
>
>