Re: Specification for Trusted PLs?
David Fetter <david@fetter.org>
From: David Fetter <david@fetter.org>
To: Peter Eisentraut <peter_e@gmx.net>
Cc: Robert Haas <robertmhaas@gmail.com>, Tom Lane <tgl@sss.pgh.pa.us>, Stephen Frost <sfrost@snowman.net>, Magnus Hagander <magnus@hagander.net>, Josh Berkus <josh@agliodbs.com>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2010-05-27T23:10:15Z
Lists: pgsql-hackers
On Fri, May 28, 2010 at 01:03:15AM +0300, Peter Eisentraut wrote: > On fre, 2010-05-21 at 14:22 -0400, Robert Haas wrote: > > On Fri, May 21, 2010 at 2:21 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > > Robert Haas <robertmhaas@gmail.com> writes: > > >> So... can we get back to coming up with a reasonable > > >> definition, > > > > > > (1) no access to system calls (including file and network I/O) > > > > > > (2) no access to process memory, other than variables defined > > > within the PL. > > > > > > What else? > > > > Doesn't subvert the general PostgreSQL security mechanisms? Not > > sure how to formulate that. > > Succinctly: A trusted language does not grant access to data that > the user would otherwise not have. That's a great definition from a point of view of understanding by human beings. A whitelist system will work better from the point of automating tests which, while they couldn't conclusively prove that something was actually this way, could go a long way toward making sure that PLs didn't regress into untrusted territory. Cheers, David. -- David Fetter <david@fetter.org> http://fetter.org/ Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter Skype: davidfetter XMPP: david.fetter@gmail.com iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate