Re: plpgsql by default
| От | Joshua D. Drake |
|---|---|
| Тема | Re: plpgsql by default |
| Дата | |
| Msg-id | 443B267C.9010608@commandprompt.com обсуждение исходный текст |
| Ответ на | Re: plpgsql by default (was: Re: Remote administration contrib module) (Tom Lane <tgl@sss.pgh.pa.us>) |
| Ответы |
Re: plpgsql by default
Re: plpgsql by default |
| Список | pgsql-hackers |
Tom Lane wrote:
> Andrew - Supernews <andrew+nonews@supernews.com> writes:
>> On 2006-04-10, Bruce Momjian <pgman@candle.pha.pa.us> wrote:
>>>> [ security ]
>>> It actually is the reason I have heard.
>
>> And it was duly debunked.
>
> That is the reasoning, and personally I agree with it. You don't leave
> sharp objects sitting around if you have no need to have them out.
Uhmmm exactly how is plpgsql a sharp object? plPerl... ok that makes
sense but you can't access the underlying OS with plpgsql.
> The availability of plpgsql or other PLs makes for a significant jump
> in what a bad guy can do if he gets access to the database,
What does enabling plpgsql do via access that you can't just do from an
SQL query?
Joshua D. Drake
so if a
> particular DB doesn't actually need the capability, it's best that it
> not be there. And that's without considering the possibility of genuine
> security holes in the PL, but just supposing that it only does what it's
> supposed to do.
>
> regards, tom lane
>
> ---------------------------(end of broadcast)---------------------------
> TIP 1: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo@postgresql.org so that your
> message can get through to the mailing list cleanly
>
--
=== The PostgreSQL Company: Command Prompt, Inc. === Sales/Support: +1.503.667.4564 || 24x7/Emergency:
+1.800.492.2240 Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/
В списке pgsql-hackers по дате отправления: