Re: plpgsql by default

> -----Original Message-----
> From: pgsql-hackers-owner(at)postgresql(dot)org
> [mailto:pgsql-hackers-owner(at)postgresql(dot)org] On Behalf Of
> Peter Eisentraut
> Sent: 12 April 2006 11:33
> To: pgsql-hackers(at)postgresql(dot)org
> Cc: Tom Lane; David Fetter; Jim C. Nasby; Joshua D. Drake;
> andrew(at)supernews(dot)com
> Subject: Re: [HACKERS] plpgsql by default
>
> Am Dienstag, 11. April 2006 23:20 schrieb Tom Lane:
> > In the end it's only one small component of security, but
> any security
> > expert will tell you that you take all the layers of
> security that you
> > can get.
>
> I think what the security experts are saying is that you need
> a thorough evaluation of assets, attackers, risks, and
> countermeasures, and I don't see that here.

Regardless of any evaluations, or any proven or thoretical risks in any
given code it's Basic Security 101 stuff to disable/remove anything that
is not required in a system to immediately reduce the number of
potential attacks that could be made. Microsoft are the classic example
- they enabled pretty much everything by default in Windows leaving it
vulnerable to attack through services many people weren't using (NetBios
on a single home user machine for example). You install a modern version
of Windows now though and you'll see virtually every network service is
disabled, or even uninstalled by default, leaving it up the user to
install as required. In addition of course, those services are still
subject to the normal bug fixes and updates for those users that do
require them.

Keeping PostgreSQL as secure as possible out of the box pretty much
requires us to do the same in my mind - if an major feature such as
pl/pgsql is easy for the user to enable should they want it, then it
should be disabled by default to minimise the number of attack vectors
for all those users that do not want it.

Regards, Dave