On 07/16/2013 09:14 PM, I wrote:
> But okay, you're saying we *have* and *want* a guarantee that even a
> superuser cannot execute arbitrary native code via libpq (at least in
> default installs w/o extensions).
I stand corrected and have to change my position, again. For the record:
We do not have such a guarantee. Nor does it seem reasonable to want
one. On a default install, it's well possible for the superuser to run
arbitrary code via just libpq.
There are various ways to do it, but the simplest one I was shown is:- upload a DSO from the client into a large
object-SELECT lo_export() that LO to a file on the server- LOAD it
There are a couple other options, so even if we let LOAD perform
permission checks (as I proposed before in this thread), the superuser
can still fiddle with function definitions. To the point that it doesn't
seem reasonable to try to protect against that.
Thus, the argument against the original proposal based on security
grounds is moot. Put another way: There already are a couple of
"backdoors" a superuser can use. By default. Or with plpgsql removed.
Thanks to Dimitri and Andres for patiently explaining and providing
examples.
Regards
Markus Wanner