Quick Links

Re: Security hole in PL/pgSQL

From:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To:	Jan Wieck <janwieck(at)Yahoo(dot)com>
Cc:	PostgreSQL HACKERS <pgsql-hackers(at)postgresql(dot)org>
Subject:	Re: Security hole in PL/pgSQL
Date:	2001-01-29 15:57:01
Message-ID:	24638.980783821@sss.pgh.pa.us
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

Jan Wieck <janwieck(at)Yahoo(dot)com> writes:
> the new EXECUTE command in PL/pgSQL is a security hole.
> PL/pgSQL is a trusted procedural language, meaning that
> regular users can write code in it. With the new EXECUTE
> command, someone could read and write arbitrary files under
> the postgres UNIX-userid using the COPY command.

Huh? This would only be true if all operations inside plpgsql are
executed as superuser, which they are not. Seems to me the existing
defense against non-superuser using COPY is sufficient.

regards, tom lane

In response to

Security hole in PL/pgSQL at 2001-01-29 15:07:27 from Jan Wieck

Responses

Re: Security hole in PL/pgSQL at 2001-01-29 16:29:31 from Jan Wieck
Re: Security hole in PL/pgSQL at 2001-01-29 16:55:14 from KuroiNeko

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	KuroiNeko	2001-01-29 16:01:02	Re: Security hole in PL/pgSQL
Previous Message	Tom Lane	2001-01-29 15:51:30	Re: [ANNOUNCE] PostgreSQL v7.1BETA4 Bundled and Available ...