Re: Interpretation of TRUSTED

David Fetter <david@fetter.org> writes:
> On Tue, Feb 08, 2005 at 11:12:07PM +0100, Thomas Hallgren wrote:
>> Is it OK to design a trusted language so that it allows access to
>> the filesystem provided that the session user is a super-user?

> I believe that that is what UNTRUSTED languages are for.  Only the
> super-user may create functions in them, although there is no inherent
> restriction on other users' calling those functions.

AFAICS, what Thomas proposes would be exactly equivalent to root running
scripts owned by non-root users --- in this case, if session user is
root then functions written by other people would be allowed to do
things they normally shouldn't be able to do.  It strikes me as a great
loophole for Trojan-horse functions.  Not that a sane superuser would
run functions controlled by other people in the first place.
        regards, tom lane