Re: sandboxing untrusted code
Jeff Davis <pgsql@j-davis.com>
From: Jeff Davis <pgsql@j-davis.com>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Andres Freund <andres@anarazel.de>, PostgreSQL-development <pgsql-hackers@postgresql.org>, Noah Misch <noah@leadboat.com>
Date: 2026-04-24T00:47:11Z
Lists: pgsql-hackers
On Thu, 2023-08-31 at 11:25 -0400, Robert Haas wrote: > And that brings me to another point, which is that we might think of > sandboxing some operations, either by default or unconditionally, for > reasons other than trust or the lack of it. There's a lot of things > that you COULD do in an index expression that you really SHOULD NOT > do. As mentioned, even reading a table is pretty sketchy, but should > a > function called from an index expression ever be allowed to execute > DDL? Is it reasonable if such a function wants to execute CREATE > TABLE? Even a temporary table is dubious, and a non-temporary table > is > really dubious. What if such a function wants to ALTER ROLE ... > SUPERUSER? I think that's bonkers and should almost certainly be > categorically denied. Probably someone is trying to hack something, > and even if they aren't, it's still nuts. So I would argue that in a > context like an index expression, some amount of sandboxing -- not > necessarily corresponding to either of the levels described above -- > is probably a good idea, not based on the relationship between > whatever users are involved, but based rather on the context. There's > room for a lot of bikeshedding here and I don't think this kind of > thing is necessarily the top priority, but I think it's worth > thinking > about. "sandboxing... based rather on context" is worth discussing further, in my opinion. Imagine two criteria: (a) how hard is it to avoid accidentally invoking the expression; and (b) how restrictive a sandbox around the expression might be before it breaks reasonable use cases. For instance, index expressions are pretty hard to avoid invoking accidentally, but a sandbox could be quite restrictive before it really started breaking index expressions. In contrast, we can't be too restrictive when evaluating functions-in-views because it would break too many things, but whether they get executed accidentally can be controlled with restrict_nonsystem_relation_kind. Regards, Jeff Davis
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Fix possible crash in tablesync worker.
- b5c517379a40 16.0 landed
-
Display 'password_required' option for \dRs+ command.
- 19e65dff38bd 16.0 landed
-
Restart the apply worker if the 'password_required' option is changed.
- c1cc4e688b60 16.0 landed
-
Fix possible logical replication crash.
- e7e7da2f8d57 16.0 landed
-
Add new predefined role pg_create_subscription.
- c3afe8cf5a1e 16.0 landed
-
Expand AclMode to 64 bits
- 7b378237aa80 16.0 cited
-
More cleanup of a2ab9c06ea.
- 96a6f11c0625 15.0 landed
-
Respect permissions within logical replication.
- a2ab9c06ea15 15.0 landed
-
Improve table locking behavior in the face of current DDL.
- 2ad36c4e44c8 9.2.0 cited