Re: Restrict ALTER FUNCTION CALLED ON NULL INPUT (was Re: Not quite a security hole: CREATE LANGUAGE for non-superusers)
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Noah Misch <noah@leadboat.com>, pgsql-hackers@postgresql.org
Date: 2012-06-12T19:13:26Z
Lists: pgsql-hackers
Robert Haas <robertmhaas@gmail.com> writes: > On Tue, Jun 12, 2012 at 11:31 AM, Noah Misch <noah@leadboat.com> wrote: >>> This seems bizarre and largely unnecessary. As you stated to begin >>> with, granting ownership of a function implies some degree of trust. >> Yes, but I would never expect that level of trust to include access to crash >> the server as a consequence of the function's reliance on STRICT. > +1. Crashes are bad. C functions, by definition, carry a risk of crashing the server. I cannot fathom the reasoning why we should consider that granting ownership of one to an untrustworthy user is ever a good idea, let alone something we promise to protect you from any bad consequences of. Even if I accepted that premise, this patch is a pretty bad implementation of it, because it restricts cases that there is no reason to think are unsafe. A less bizarre and considerably more future-proof restriction, IMO, would simply refuse any attempt to give ownership of a C function to a non-superuser. regards, tom lane