Re: [PATCHES] WIP: plpgsql source code obfuscation

Bruce Momjian Sun, 06 Apr 2008 19:14:07 -0700

Added to TODO:

        o Add ability to obfuscate function bodies


          http://archives.postgresql.org/pgsql-patches/2008-01/msg00125.php


---------------------------------------------------------------------------

Pavel Stehule wrote:
> Hello
> 
> this patch define new function flag - OBFUSCATE. With this flag
> encrypted source code is stored to probin column. Password is stored
> in GUC_SUPERUSER_ONLY item - it is similar security like SQL Server
> does (where privileged users can access system tables with source code
> or can use debugger).
> 
> ToDo: Dump
> 
> Sample:
> 
> postgres=# show obfuscator_password;
>   obfuscator_password
> -----------------------
>  moje supertajne heslo
> (1 row)
> 
> postgres=# \x
> Expanded display is on.
> postgres=# create or replace function fx() returns int as $$begin
> return -1; end; $$ language plpgsql;
> CREATE FUNCTION
> postgres=# \df+ fx
> List of functions
> -[ RECORD 1 ]-------+-----------------------
> Schema              | public
> Name                | fx
> Result data type    | integer
> Argument data types |
> Volatility          | volatile
> Owner               | bob
> Language            | plpgsql
> Source code         | begin return -1; end;
> Description         |
> 
> postgres=# ALTER FUNCTION fx() obfuscate;
> NOTICE:  begin return -1; end;
> ALTER FUNCTION
> postgres=# \df+ fx
> List of functions
> -[ RECORD 1 ]-------+---------
> Schema              | public
> Name                | fx
> Result data type    | integer
> Argument data types |
> Volatility          | volatile
> Owner               | bob
> Language            | plpgsql
> Source code         | -
> Description         |
> 
> postgres=# select fx();
> -[ RECORD 1 ]
> fx | -1
> 
> postgres=# create or replace function fx() returns int as $$begin
> return -1; end; $$ language plpgsql obfuscate;
> CREATE FUNCTION
> postgres=# select fx();
> -[ RECORD 1 ]
> fx | -1
> 
> postgres=# \df+ fx
> List of functions
> -[ RECORD 1 ]-------+---------
> Schema              | public
> Name                | fx
> Result data type    | integer
> Argument data types |
> Volatility          | volatile
> Owner               | bob
> Language            | plpgsql
> Source code         | -
> Description         |
> 
> postgres=# select * from pg_proc where proname = 'fx';
> -[ RECORD 1 
> ]--+----------------------------------------------------------------------------
> proname        | fx
> pronamespace   | 2200
> proowner       | 16385
> prolang        | 16421
> procost        | 100
> prorows        | 0
> proisagg       | f
> prosecdef      | f
> proisstrict    | f
> proretset      | f
> provolatile    | v
> pronargs       | 0
> prorettype     | 23
> proargtypes    |
> proallargtypes |
> proargmodes    |
> proargnames    |
> prosrc         | -
> probin         |
> \231\003_\266\361\214}\231\240L/\020\232\036c\234\315P\236\266I\370\324\222
> proconfig      |
> proacl         |
> 
> 
> [EMAIL PROTECTED] ~]$ psql -U bob postgres
> Welcome to psql 8.3RC2, the PostgreSQL interactive terminal.
> 
> Type:  \copyright for distribution terms
>        \h for help with SQL commands
>        \? for help with psql commands
>        \g or terminate with semicolon to execute query
>        \q to quit
> 
> postgres=> \x
> Expanded display is on.
> postgres=> show obfuscator_password;
> ERROR:  must be superuser to examine "obfuscator_password"
> postgres=> select fx();
> -[ RECORD 1 ]
> fx | -1
> 
> postgres=> \df+ fx
> List of functions
> -[ RECORD 1 ]-------+---------
> Schema              | public
> Name                | fx
> Result data type    | integer
> Argument data types |
> Volatility          | volatile
> Owner               | bob
> Language            | plpgsql
> Source code         | -
> Description         |
> 
> postgres=> select * from pg_proc where proname = 'fx';
> -[ RECORD 1 
> ]--+----------------------------------------------------------------------------
> proname        | fx
> pronamespace   | 2200
> proowner       | 16385
> prolang        | 16421
> procost        | 100
> prorows        | 0
> proisagg       | f
> prosecdef      | f
> proisstrict    | f
> proretset      | f
> provolatile    | v
> pronargs       | 0
> prorettype     | 23
> proargtypes    |
> proallargtypes |
> proargmodes    |
> proargnames    |
> prosrc         | -
> probin         |
> \231\003_\266\361\214}\231\240L/\020\232\036c\234\315P\236\266I\370\324\222
> proconfig      |
> proacl         |

[ Attachment, skipping... ]

> 
> ---------------------------(end of broadcast)---------------------------
> TIP 2: Don't 'kill -9' the postmaster

-- 
  Bruce Momjian  <[EMAIL PROTECTED]>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +

-- 
Sent via pgsql-patches mailing list (pgsql-patches@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-patches

Re: [PATCHES] WIP: plpgsql source code obfuscation

Reply via email to