Re: Dumping an Extension's Script
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Andres Freund <andres@anarazel.de>
Cc: Dimitri Fontaine <dimitri@2ndQuadrant.fr>, Heikki Linnakangas <hlinnakangas@vmware.com>, Simon Riggs <simon@2ndquadrant.com>, Robert Haas <robertmhaas@gmail.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2012-12-05T21:42:38Z
Lists: pgsql-hackers
Andres Freund <andres@anarazel.de> writes: > On 2012-12-05 16:20:41 -0500, Tom Lane wrote: >> GUC or no GUC, it'd still be letting an unprivileged network-exposed >> application (PG) do something that's against any sane system-level >> security policy. Lipstick is not gonna help this pig. > What about the non-writable per cluster directory? Thats something I've > actively wished for in the past when developing a C module thats also > used in other clusters. I see no security objection to either per-cluster or per-database script+control-file directories, as long as they can only contain SQL scripts and not executable files. If we allow such things to be installed by less-than-superusers, we'll have to think carefully about what privileges are given when running the script. I forget at the moment how much of that we already worked out back in the 9.1 era; I remember it was discussed but not whether we had a bulletproof solution. regards, tom lane