Re: Security implications of (plpgsql) functions

Richard Huxton <dev@archonet.com>

From: Richard Huxton <dev@archonet.com>
To: Marcin Owsiany <marcin@owsiany.pl>, pgsql-general@postgresql.org
Date: 2002-10-21T16:56:40Z
Lists: pgsql-hackers, pgsql-general
On Saturday 19 Oct 2002 5:17 pm, Marcin Owsiany wrote:
[snipped infinite recursion function]
> The log says:
>  DEBUG:  server process (pid 3550) was terminated by signal 11
>  DEBUG:  terminating any other active server processes
>
> The thing that worries me most is the last message: postmaster terminates
> all other backends, therefore overflowing the stack via a plpgsql function
> can be used to DoS-attack the server.

You need to be careful allowing create access for *any* procedural language 
(and paranoid about 'C'). If nothing else, someone could craft a procedure 
that allocates a lot of memory and just wait. I'm note sure a sig11 is what 
we'd be looking for here though - I'd expect "unable to allocate memory". If 
one of the developers don't spot this, I'd report it as a bug.

> Is there anything one (as a postgresql installation admin) can do? 
> Disabling procedural languages in databases of the users I don't trust
> comes to mind, but does it really make me safe? I mean: won't such attack
> still be possible with pure SQL?

You can run a DoS fairly simply if you can connect multiple times - just 
select * from bigtable as a, bigtable as b will soon exhaust memory. It's not 
difficult to craft queries to drain CPU/disk IO either. You can control the 
amount of shared memory, sort memory and number of connections allowed though 
(see postgresql.conf) which gives an upper limit on the drain PG places on 
your machine.

You're along the right lines, restricting access to languages - only grant 
permissions where needed (this applies to tables etc too).
-- 
  Richard Huxton