Re: Specification for Trusted PLs?

On Fri, May 21, 2010 at 12:36:50PM -0700, David Fetter wrote:
> On Fri, May 21, 2010 at 03:15:27PM -0400, Tom Lane wrote:
> > Robert Haas <robertmhaas@gmail.com> writes:
> > > On Fri, May 21, 2010 at 2:21 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> > >> (1) no access to system calls (including file and network I/O)
> > >> (2) no access to process memory, other than variables defined within the
> > >> PL.
> > >> What else?
> > 
> > > Doesn't subvert the general PostgreSQL security mechanisms?  Not
> > > sure how to formulate that.
> > 
> > As long as you can't do database access except via SPI, that should
> > be covered.  So I guess the next item on the list is no, or at least
> > restricted, access to functions outside the PL's own language.
> 
> "No access" seems pretty draconian.
> 
> How about limiting such access to functions of equal or lower
> trustedness?

I see that's confusing.  What I meant was that functions in trusted
languages should be able to call other functions in trusted languages,
while functions in untrusted languages shouldn't be restricted as to
what other functions they can call.

Cheers,
David.
-- 
David Fetter <david@fetter.org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david.fetter@gmail.com
iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate