| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Noah Misch <noah(at)leadboat(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Restrict ALTER FUNCTION CALLED ON NULL INPUT (was Re: Not quite a security hole: CREATE LANGUAGE for non-superusers) |
| Date: | 2012-06-12 19:13:26 |
| Message-ID: | 20982.1339528406@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> On Tue, Jun 12, 2012 at 11:31 AM, Noah Misch <noah(at)leadboat(dot)com> wrote:
>>> This seems bizarre and largely unnecessary. As you stated to begin
>>> with, granting ownership of a function implies some degree of trust.
>> Yes, but I would never expect that level of trust to include access to crash
>> the server as a consequence of the function's reliance on STRICT.
> +1. Crashes are bad.
C functions, by definition, carry a risk of crashing the server.
I cannot fathom the reasoning why we should consider that granting
ownership of one to an untrustworthy user is ever a good idea, let alone
something we promise to protect you from any bad consequences of.
Even if I accepted that premise, this patch is a pretty bad
implementation of it, because it restricts cases that there is no
reason to think are unsafe.
A less bizarre and considerably more future-proof restriction, IMO,
would simply refuse any attempt to give ownership of a C function
to a non-superuser.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dusan Misic | 2012-06-12 19:21:59 | Possible error in psql or Postgres? |
| Previous Message | Robert Haas | 2012-06-12 18:50:44 | Re: Restrict ALTER FUNCTION CALLED ON NULL INPUT (was Re: Not quite a security hole: CREATE LANGUAGE for non-superusers) |