Re: Expect problems with PL/Python and Python version 2.2.3+

> Sean Reifschneider <jafo(at)tummy(dot)com> writes:
> > For those unfamiliar with it, rexec provides a restricted execution
> > environment, limiting access to certain Python and system routines.
> > This functionality is being deprecated in Python, due to security
> > problems and lack of maintainership to resolve them...
>
> Is no substitute solution being offered?

There are hopes that rexec will eventually be fixed. But nobody has
signed up to do the work. So for the time being, no. (The fixes
aren't simple; the problem is really deep in the bowels of the new
class/type unification code, and a fix will require serious rethinking
of the security implications of everything there.)

> > It may be appropriate to just remove the rexec, with the result being
> > that PL/Python code will be able to have access to basically anything on
> > the system as the user PostgreSQL is running as.
>
> We would have to change it to an untrusted language. We could do that,
> but it would mean a major reduction in the usefulness of plpython.
> Few DBAs of average paranoia levels want to give superuser access to
> their database users.

Then they shouldn't trust rexec either, at least not with Python 2.2
and up. I can't divulge the details, but there are quite a few known
attacks on rexec. The python-dev list archives have details.

I'm not saying I'm not sorry about this state of affairs. But I
prefer to be upfront and say "there is currently no secure restricted
execution mode" rather than pretend everything is cool and let bad
guys hack into your system via the rexec holes.

You could always downgrade to Python 2.1.3.

--Guido van Rossum (home page: http://www.python.org/~guido/)