| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Kevin Grittner <Kevin(dot)Grittner(at)wicourts(dot)gov>, Noah Misch <noah(at)leadboat(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Restrict ALTER FUNCTION CALLED ON NULL INPUT (was Re: Not quite a security hole: CREATE LANGUAGE for non-superusers) |
| Date: | 2012-07-20 19:45:15 |
| Message-ID: | 29738.1342813515@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> I don't particularly care for that solution; it seems like a kludge.
> I've kind of wondered whether we ought to have checks in all the ALTER
> routines that spit up if you try to ALTER an extension member from any
> place other than an extension upgrade script... but that still
> wouldn't prevent the extension owner from dropping the members out of
> the extension and then modifying them afterwards. I'm not sure we
> want to prevent that in general, but maybe there could be some
> locked-down mode that has that effect.
Right, I wasn't too clear about that, but I meant that we'd have some
sort of locked-down state for an extension that would forbid fooling
with its contents. For development purposes, or for anybody that "knows
what they're doing", adding/subtracting/modifying member objects is
mighty handy. But a non-superuser who's loaded an extension that
contains C functions ought not have those privileges for it.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2012-07-20 19:51:04 | Re: Event Triggers reduced, v1 |
| Previous Message | Robert Haas | 2012-07-20 19:39:33 | Re: Restrict ALTER FUNCTION CALLED ON NULL INPUT (was Re: Not quite a security hole: CREATE LANGUAGE for non-superusers) |