Re: Security hole in PL/pgSQL
| От | Jan Wieck |
|---|---|
| Тема | Re: Security hole in PL/pgSQL |
| Дата | |
| Msg-id | 200101291629.LAA03679@jupiter.greatbridge.com обсуждение исходный текст |
| Ответ на | Re: Security hole in PL/pgSQL (Tom Lane <tgl@sss.pgh.pa.us>) |
| Список | pgsql-hackers |
Tom Lane wrote: > Jan Wieck <janwieck@Yahoo.com> writes: > > the new EXECUTE command in PL/pgSQL is a security hole. > > PL/pgSQL is a trusted procedural language, meaning that > > regular users can write code in it. With the new EXECUTE > > command, someone could read and write arbitrary files under > > the postgres UNIX-userid using the COPY command. > > Huh? This would only be true if all operations inside plpgsql are > executed as superuser, which they are not. Seems to me the existing > defense against non-superuser using COPY is sufficient. Phew, you save my day. I should better think twice before ringing the alarm bell :-) Jan -- #======================================================================# # It's easier to get forgiveness for being wrong than for being right. # # Let's break this rule - forgive me. # #================================================== JanWieck@Yahoo.com # _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
В списке pgsql-hackers по дате отправления: