Christopher Kings-Lynne wrote: > > > Hey yep, good point. > > > > Is this the only way that we know of non postgresql-superusers to be > > able to take out the server other than by extremely non-optimal, > > resource wasting queries? > > > > If we release a 7.2.2 because of this, can we be pretty sure we have a > > "no known vulnerabilities" release, or are there other small holes which > > should be fixed too? > > What about that "select cash_out(2) crashes because of opaque" entry in the > TODO? That really needs to be fixed. > > I was talking to a CS lecturer about switching to postgres from oracle when > 7.3 comes out and all he said was "how easily is it hacked?". He says their > systems are the most constantly bombarded in universities. What could I > say? That any unprivileged user can just go 'select cash_out(2)' to DOS the > backend?
If he's using Oracle already, he ought to check out: http://www.cert.org/advisories/CA-2002-08.html I'd still think it would be a good policy to make a security release. However, without user resource limits in PostgreSQL, anyone can make a machine useless with a query like: SELECT * FROM pg_class a, pg_class b, pg_class c, pg_class d, pg_class e, ... ; Mike Mascari [EMAIL PROTECTED] ---------------------------(end of broadcast)--------------------------- TIP 4: Don't 'kill -9' the postmaster
