Safe security (was: plperl _init settings)

Tim Bunce <tim.bunce@pobox.com>

From: Tim Bunce <Tim.Bunce@pobox.com>
To: Andrew Dunstan <andrew@dunslane.net>
Cc: PostgreSQL-development <pgsql-hackers@postgresql.org>, Tim Bunce <Tim.Bunce@pobox.com>
Date: 2010-03-03T16:15:58Z
Lists: pgsql-hackers
On Tue, Mar 02, 2010 at 07:33:47PM -0500, Andrew Dunstan wrote:
> 
> There appears to be some significant misunderstanding of what can be
> done effectively using the various *_init settings for plperl.
> 
> In particular, some people have got an expectation that modules
> loaded in plperl.on_init will thereby be available for use in
> trusted plperl.
> 
> I propose to add the following note to the docs:
> 
>    Preloading modules using plperl.on_init does not make them available
>    for use by plperl. External perl modules can only be used in plperlu.
> 
> Comments?

Sounds good.

FYI the maintainers of Safe are aware of (at least) two exploits which
are being considered at the moment.

You might want to soften the wording in
http://developer.postgresql.org/pgdocs/postgres/plperl-trusted.html
"There is no way to ..." is a stronger statement than can be justified.

The docs for Safe http://search.cpan.org/~rgarcia/Safe-2.23/Safe.pm#WARNING
say "The authors make no warranty, implied or otherwise, about the
suitability of this software for safety or security purposes".

Tim.