Re: Dumping an Extension's Script

Andres Freund <andres@anarazel.de>

From: Andres Freund <andres@anarazel.de>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Dimitri Fontaine <dimitri@2ndQuadrant.fr>, Heikki Linnakangas <hlinnakangas@vmware.com>, Simon Riggs <simon@2ndquadrant.com>, Robert Haas <robertmhaas@gmail.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2012-12-05T21:59:57Z
Lists: pgsql-hackers
On 2012-12-05 16:42:38 -0500, Tom Lane wrote:
> Andres Freund <andres@anarazel.de> writes:
> > On 2012-12-05 16:20:41 -0500, Tom Lane wrote:
> >> GUC or no GUC, it'd still be letting an unprivileged network-exposed
> >> application (PG) do something that's against any sane system-level
> >> security policy.  Lipstick is not gonna help this pig.
>
> > What about the non-writable per cluster directory? Thats something I've
> > actively wished for in the past when developing a C module thats also
> > used in other clusters.
>
> I see no security objection to either per-cluster or per-database
> script+control-file directories, as long as they can only contain
> SQL scripts and not executable files.

Well, I was explicitly talking about C code above. The question doesn't
really have to do too much with this thread, sorry. Given I am proposing
the directory to be explicitly read-only and under permission that don't
allow postgres to change that its not really suitable for this topic...

Greetings,

Andres Freund