On Wed, Feb 3, 2010 at 00:46, Alex Hunsaker <bada...@gmail.com> wrote: > On Tue, Feb 2, 2010 at 22:50, Tom Lane <t...@sss.pgh.pa.us> wrote: >> Alex Hunsaker <bada...@gmail.com> writes: >>> On Tue, Feb 2, 2010 at 21:38, Tom Lane <t...@sss.pgh.pa.us> wrote: >>>> Alex Hunsaker <bada...@gmail.com> writes: >>>>> Yeah the both is gross. How about: >>>>> plperl.on_plperl_init >>>>> plperl.on_plperlu_init >>>>> plperl.on_init ? > >>> Well its already in. >> >> Well *that's* easily fixed. I think it's a bad idea, because it's >> unclear what you should put there and what the security implications >> are. > > I can't speak for its virtue, maybe Tim, Andrew?
Ahh I think i figured it out. plperl.on_trusted_init runs *inside* of the safe. So you cant do unsafe things like use this or that module. plperl.on_init runs on init *outside* of the safe so you can use modules and what not. So now I can use say Digest::SHA without tossing the baby out with the bath water (just using plperlu). Gaping security whole? Maybe, no more so than installing an insecure C/plperlu function as you have to edit postgresql.conf to change it. Right? Maybe we should have: plperl.on_plperl_safe_init (runs inside of the safe, PGC_USERSET) plperl.on_plperl_init (runs outside safe, PGC_SUSET) plperl.on_plpleru_init (PGC_SUSET) All of the above have no SPI/database access. I think we can gt away with PGC_USERSET on safe_init as it wont allow you to do anything "scary" like play with security definer functions or redefine functions etc... There does seem to be the risk that I may not have plperl GRANTed but I can make any plperl function elog(ERROR) as long as they have not loaded plperl via a plperl_safe_init. We can probably fix that if people think its a valid dos/attack vector. Comments? -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers