| From: | Jan Wieck <janwieck(at)Yahoo(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Jan Wieck <janwieck(at)Yahoo(dot)com>, PostgreSQL HACKERS <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Security hole in PL/pgSQL |
| Date: | 2001-01-29 16:29:31 |
| Message-ID: | 200101291629.LAA03679@jupiter.greatbridge.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Tom Lane wrote:
> Jan Wieck <janwieck(at)Yahoo(dot)com> writes:
> > the new EXECUTE command in PL/pgSQL is a security hole.
> > PL/pgSQL is a trusted procedural language, meaning that
> > regular users can write code in it. With the new EXECUTE
> > command, someone could read and write arbitrary files under
> > the postgres UNIX-userid using the COPY command.
>
> Huh? This would only be true if all operations inside plpgsql are
> executed as superuser, which they are not. Seems to me the existing
> defense against non-superuser using COPY is sufficient.
Phew,
you save my day. I should better think twice before ringing
the alarm bell :-)
Jan
--
#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me. #
#================================================== JanWieck(at)Yahoo(dot)com #
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2001-01-29 16:30:39 | Re: Can PyGreSQL be updated? |
| Previous Message | Vince Vielhaber | 2001-01-29 16:21:38 | Shouldn't this be an error? |