Andrew Dunstan wrote:
> Bruce Momjian wrote:
> >As a super-user, could an attacker load a server-side language and
> >access the backend environment variable PGDATA.  
> >  
> >
> plperl won't do it, but plperlu will (as expected I guess). But the 
> superuser will have to jump through some explicit hoops in order to get 
> there, which is different from providing such facilities out of the box.

I am thinking they could easily use pgtcl.  I don't think the hoops are
very high.

  Bruce Momjian                        |
  [EMAIL PROTECTED]               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
    (send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])

Reply via email to