Re: allowing privileges on untrusted languages

Peter Eisentraut <peter_e@gmx.net> writes:
> It turned out that actually getting rid of lanpltrusted would be too
> invasive, especially because some language handlers use it to determine
> their own behavior.

> So instead the lanpltrusted attribute now just determined what the
> default privileges of the language are, and all the checks the require
> superuserness to do anything with untrusted languages are removed.

Hmm ... that worries me a bit.  It seems like system security will now
require being sure that the permissions on the language match the
lanpltrusted setting.  Even if the code is right today, there's a lot
of scope for future oversights with security implications.  Don't know
what we could do to mitigate that.

In particular, have you thought carefully about upgrade scenarios?
Will a dump-and-restore of a pre-9.3 installation end up with safe
language privileges?

In the same vein, I'm worried that the proposed change in pg_dump will
do the wrong thing when looking at a pre-9.3 server.  Is any
server-version-dependent behavior needed there?
        regards, tom lane