Re: Specification for Trusted PLs?
| От | Jan Wieck |
|---|---|
| Тема | Re: Specification for Trusted PLs? |
| Дата | |
| Msg-id | 4BF9E84F.3010508@Yahoo.com обсуждение исходный текст |
| Ответ на | Re: Specification for Trusted PLs? (Andrew Dunstan <andrew@dunslane.net>) |
| Ответы |
Re: Specification for Trusted PLs?
|
| Список | pgsql-hackers |
On 5/23/2010 10:04 PM, Andrew Dunstan wrote: > > Jan Wieck wrote: >> On 5/23/2010 6:14 PM, Ron Mayer wrote: >>> Tom Lane wrote: >>>> Robert Haas <robertmhaas@gmail.com> writes: >>>>> So... can we get back to coming up with a reasonable >>>>> definition, >>>> >>>> (1) no access to system calls (including file and network I/O) >>> >>> If a PL has file access to it's own sandbox (similar to what >>> flash seems to do in web browsers), could that be considered >>> trusted? >> >> That is a good question. >> >> Currently, the first of all TRUSTED languages, PL/Tcl, would allow the >> function of a lesser privileged user access the "global" objects of >> every other database user created within the same session. >> >> These are per backend in memory objects, but none the less, an evil >> function could just scan the per backend Tcl namespace and look for >> compromising data, and that's not exactly what TRUSTED is all about. >> >> In the case of Tcl it is possible to create a separate "safe" >> interpreter per DB role to fix this. I actually think this would be >> the right thing to do. >> > > I think that would probably be serious overkill. Maybe a data stash per > role rather than an interpreter per role would be doable. it would > certainly be more lightweight. > > ISTM we are in danger of confusing several different things. A user that > doesn't want data to be shared should not stash it in global objects. > But to me, trusting a language is not about making data private, but > about not allowing the user to do things that are dangerous, such as > referencing memory, or the file system, or the operating system, or > network connections, or loading code which might do any of those things. How is "loading code which might do any of those things" different from writing a stored procedure, that accesses data, a careless "superuser" left in a global variable? Remember, the code of a PL function is "open" source - like in "everyone can select from pg_proc". You really don't expect anyone to scan for your global variables just because they can write functions in the same language? Jan -- Anyone who trades liberty for security deserves neither liberty nor security. -- Benjamin Franklin
В списке pgsql-hackers по дате отправления: