Re: untrusted languages and non-global superusers?

Am Mittwoch, den 03.08.2005, 21:29 -0700 schrieb CSN:
>
> --- Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
> > CSN <cool_screen_name90001(at)yahoo(dot)com> writes:
> > > I'm using plphpu and I'd like to allow the regular
> > > database user to use it, but since it's
> > "untrusted" it
> > > requires users to be superusers. If I have to do
> > this,
> > > I don't want the user to be a superuser for all
> > > databases. Is it possible to grant superuser
> > status to
> > > a user for a specific database?
> >
> > Exactly how would you prevent him from converting
> > that into global
> > access? Especially if you're going to give him use
> > of an untrusted
> > language? He could easily rewrite any configuration
> > file you might
> > think is going to lock him out of your other
> > databases.
>
> You lost me - how is any of that possible?

untrusted languages run in the context of the database
and have full access to the filesystem. In short, you
can do anything with them your database can do + a lot more.

> >
> > > (The function uses mail(), so IIRC that
> > necessitates
> > > using plphpu).
> >
> > Sending mail from a database function (or doing
> > anything else that
> > involves external side-effects) is generally A Bad
> > Idea, for reasons
> > that have been covered many times in the list
> > archives.
>
> Why, exactly? In this situation I just set up a
> trigger that sends a welcome email to newly inserted
> members. Very convenient.

Why cant your application handle this?
Otoh, why dont you provide a function to send mail,
which takes some parameters and just let your users
use them? No need for everybody to write her own
mail function.