From: | Andrew Dunstan <andrew(dot)dunstan(at)2ndquadrant(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | pgsql-hackers(at)postgresql(dot)org, Jan Wieck <jan(at)wi3ck(dot)info> |
Subject: | Re: I propose killing PL/Tcl's "modules" infrastructure |
Date: | 2017-02-27 14:36:56 |
Message-ID: | b8362f6c-1638-4164-7bbe-f68fb6531258@2ndQuadrant.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 02/26/2017 02:54 PM, Tom Lane wrote:
> * I'm not terribly comfortable about what the permissions levels of the
> GUCs ought to be. The call permissions check means that you can't use
> either GUC to call a function you couldn't have called anyway. However
> there's a separate risk of trojan-horse execution, analogous to what a
> blackhat can get by controlling the search_path GUC setting used by a
> SECURITY DEFINER function: the function might intend to invoke some pltcl
> function, but you can get it to invoke some other pltcl function in
> addition to that. I think this means we had better make pltclu.start_proc
> be SUSET, but from a convenience standpoint it'd be nice if
> pltcl.start_proc were just USERSET. An argument in favor of that is that
> we don't restrict search_path which is just as dangerous; but on the other
> hand, existing code should be expected to know that it needs to beware of
> search_path, while it wouldn't know that start_proc needs to be locked
> down. Maybe we'd better make them both SUSET.
>
plperl's on_plperl_init and on_plperlu_init settings are both SUSET.
In practice with PLv8 this is usually set in the config file in my
experience.
cheers
andrew
--
Andrew Dunstan https://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
From | Date | Subject | |
---|---|---|---|
Next Message | David Fetter | 2017-02-27 14:43:30 | Re: rename pg_log directory? |
Previous Message | Tomas Vondra | 2017-02-27 14:14:20 | Re: PATCH: two slab-like memory allocators |