Thread
Commits
-
Invent start_proc parameters for PL/Tcl.
- 0d2b1f305dc7 10.0 landed
-
Remove PL/Tcl's "module" facility.
- 817f2a586342 10.0 landed
-
Remove all of the libpgtcl and pgtclsh files, including all references to
- 41fa9e9bae60 8.0.0 cited
-
I propose killing PL/Tcl's "modules" infrastructure
Tom Lane <tgl@sss.pgh.pa.us> — 2017-02-25T18:14:07Z
Over in https://www.postgresql.org/message-id/alpine.DEB.2.11.1702251701030.3920@Sandal.Woodpecker it's pointed out that pltcl_loadmod was never updated for the switch to standard_conforming_strings (and the patch proposed there doesn't begin to cover all the places that would need fixed for that). This means that the "modules" functionality is entirely broken in any installation that's got standard_conforming_strings turned on, which has been the default since 9.1 and was possible long before that. The fact that nobody has noticed seems to me to be clear proof that no one is using this feature in the field. Now, we could try to fix this bug, and add the regression test coverage that the code clearly lacks, and upgrade the documentation about it from its currently very sad state. But I think the right answer is just to remove the feature altogether. It's evidently not being used, and it's kind of insecure by design, and it would not be that hard for someone to provide equivalent functionality entirely in userland if they really wanted it. Comments? regards, tom lane
-
Re: I propose killing PL/Tcl's "modules" infrastructure
Andrew Dunstan <andrew.dunstan@2ndquadrant.com> — 2017-02-25T18:37:26Z
On 02/25/2017 01:14 PM, Tom Lane wrote: > Over in > https://www.postgresql.org/message-id/alpine.DEB.2.11.1702251701030.3920@Sandal.Woodpecker > it's pointed out that pltcl_loadmod was never updated for the switch > to standard_conforming_strings (and the patch proposed there doesn't > begin to cover all the places that would need fixed for that). > > This means that the "modules" functionality is entirely broken in any > installation that's got standard_conforming_strings turned on, which has > been the default since 9.1 and was possible long before that. > > The fact that nobody has noticed seems to me to be clear proof that no one > is using this feature in the field. > > Now, we could try to fix this bug, and add the regression test coverage > that the code clearly lacks, and upgrade the documentation about it from > its currently very sad state. But I think the right answer is just to > remove the feature altogether. It's evidently not being used, and it's > kind of insecure by design, and it would not be that hard for someone > to provide equivalent functionality entirely in userland if they really > wanted it. > > Comments? > > In PLv8 we added a parameter plv8.start_proc that names a parameterless function that's executed when plv8 is first called in each session. It can be used quite easily to implement something like a modules infrastructure - in fact I have used it to good effect for exactly that. Maybe something similar for pltcl would be a good thing. cheers andrew -- Andrew Dunstan https://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
-
Re: I propose killing PL/Tcl's "modules" infrastructure
Joshua D. Drake <jd@commandprompt.com> — 2017-02-25T18:39:14Z
On 02/25/2017 10:14 AM, Tom Lane wrote: > Now, we could try to fix this bug, and add the regression test coverage > that the code clearly lacks, and upgrade the documentation about it from > its currently very sad state. But I think the right answer is just to > remove the feature altogether. It's evidently not being used, and it's > kind of insecure by design, and it would not be that hard for someone > to provide equivalent functionality entirely in userland if they really > wanted it. I don't see a reason to keep pl/tcl in core at all so ripping out the functionality seems the least disruptive and perhaps even a deprecation of the PL (at least from a core perspective) in v10. JD -- Command Prompt, Inc. http://the.postgres.company/ +1-503-667-4564 PostgreSQL Centered full stack support, consulting and development. Everyone appreciates your honesty, until you are honest with them. Unless otherwise stated, opinions are my own. -
Re: I propose killing PL/Tcl's "modules" infrastructure
Tom Lane <tgl@sss.pgh.pa.us> — 2017-02-25T18:44:48Z
Andrew Dunstan <andrew.dunstan@2ndquadrant.com> writes: > On 02/25/2017 01:14 PM, Tom Lane wrote: >> Now, we could try to fix this bug, and add the regression test coverage >> that the code clearly lacks, and upgrade the documentation about it from >> its currently very sad state. But I think the right answer is just to >> remove the feature altogether. It's evidently not being used, and it's >> kind of insecure by design, and it would not be that hard for someone >> to provide equivalent functionality entirely in userland if they really >> wanted it. > In PLv8 we added a parameter plv8.start_proc that names a parameterless > function that's executed when plv8 is first called in each session. It > can be used quite easily to implement something like a modules > infrastructure - in fact I have used it to good effect for exactly that. > Maybe something similar for pltcl would be a good thing. Yeah, the only part that's even a bit hard to replicate in userland is initializing the autoloading mechanism in each session. It would be cleaner to provide a feature similar to what you describe that could be used for that purpose as well as others. However, where does the "parameterless function" come from? Is it a regular PLv8 (or for this purpose PL/Tcl) function expected to be present in pg_proc? regards, tom lane
-
Re: I propose killing PL/Tcl's "modules" infrastructure
Tom Lane <tgl@sss.pgh.pa.us> — 2017-02-25T18:46:53Z
"Joshua D. Drake" <jd@commandprompt.com> writes: > I don't see a reason to keep pl/tcl in core at all so ripping out the > functionality seems the least disruptive and perhaps even a deprecation > of the PL (at least from a core perspective) in v10. I'm not in any hurry to remove or deprecate PL/Tcl as a whole. It's gotten more love in the past year than it got in the previous ten, so evidently there are still people out there who use it. But they don't seem to be using this particular part of it. regards, tom lane
-
Re: I propose killing PL/Tcl's "modules" infrastructure
Andrew Dunstan <andrew.dunstan@2ndquadrant.com> — 2017-02-25T18:55:26Z
On 02/25/2017 01:44 PM, Tom Lane wrote: > Andrew Dunstan <andrew.dunstan@2ndquadrant.com> writes: >> On 02/25/2017 01:14 PM, Tom Lane wrote: >>> Now, we could try to fix this bug, and add the regression test coverage >>> that the code clearly lacks, and upgrade the documentation about it from >>> its currently very sad state. But I think the right answer is just to >>> remove the feature altogether. It's evidently not being used, and it's >>> kind of insecure by design, and it would not be that hard for someone >>> to provide equivalent functionality entirely in userland if they really >>> wanted it. >> In PLv8 we added a parameter plv8.start_proc that names a parameterless >> function that's executed when plv8 is first called in each session. It >> can be used quite easily to implement something like a modules >> infrastructure - in fact I have used it to good effect for exactly that. >> Maybe something similar for pltcl would be a good thing. > Yeah, the only part that's even a bit hard to replicate in userland is > initializing the autoloading mechanism in each session. It would be > cleaner to provide a feature similar to what you describe that could > be used for that purpose as well as others. However, where does the > "parameterless function" come from? Is it a regular PLv8 (or for this > purpose PL/Tcl) function expected to be present in pg_proc? > > Yes, it's a regular PLv8 function.Here's an example. It presupposes that there is a table called plv8_modules (modname text, code text, load_on_start boolean). CREATE OR REPLACE FUNCTION public.plv8_startup() RETURNS void LANGUAGE plv8 AS $function$ if (typeof plv8_loaded_modules == 'undefined') plv8_loaded_modules = {}; load_module = function(modname) { if (plv8_loaded_modules[modname]) return; var rows = plv8.execute("SELECT code from plv8_modules " + " where modname = $1", [modname]); for (var r = 0; r < rows.length; r++) { var code = rows[r].code; eval("(function() { " + code + "})")(); // plv8.elog(NOTICE,"loaded module " + modname); plv8_loaded_modules[modname] = 1; } }; reload_module = function(modname) { var rows = plv8.execute("SELECT code from plv8_modules " + " where modname = $1", [modname]); for (var r = 0; r < rows.length; r++) { var code = rows[r].code; eval("(function() { " + code + "})")(); // plv8.elog(NOTICE,"loaded module " + modname); plv8_loaded_modules[modname] = 1; } }; var rows = plv8.execute("SELECT modname, code from plv8_modules where load_on_start"); for (var r = 0; r < rows.length; r++) { var modname = rows[r].modname; if (plv8_loaded_modules[modname]) continue; var code = rows[r].code; eval("(function() { " + code + "})")(); plv8_loaded_modules[modname] = 1; // plv8.elog(NOTICE,"loaded module " + modname); }; $function$; cheers andrew -- Andrew Dunstan https://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services -
Re: I propose killing PL/Tcl's "modules" infrastructure
Tom Lane <tgl@sss.pgh.pa.us> — 2017-02-25T19:21:25Z
Andrew Dunstan <andrew.dunstan@2ndquadrant.com> writes: > On 02/25/2017 01:44 PM, Tom Lane wrote: >> Yeah, the only part that's even a bit hard to replicate in userland is >> initializing the autoloading mechanism in each session. It would be >> cleaner to provide a feature similar to what you describe that could >> be used for that purpose as well as others. However, where does the >> "parameterless function" come from? Is it a regular PLv8 (or for this >> purpose PL/Tcl) function expected to be present in pg_proc? > Yes, it's a regular PLv8 function. OK ... how do you handle security considerations? Can the GUC be set at any time/by anybody? What determines whether you have permissions to call the particular function? regards, tom lane
-
Re: I propose killing PL/Tcl's "modules" infrastructure
Andrew Dunstan <andrew.dunstan@2ndquadrant.com> — 2017-02-25T20:11:12Z
On 02/25/2017 02:21 PM, Tom Lane wrote: > Andrew Dunstan <andrew.dunstan@2ndquadrant.com> writes: >> On 02/25/2017 01:44 PM, Tom Lane wrote: >>> Yeah, the only part that's even a bit hard to replicate in userland is >>> initializing the autoloading mechanism in each session. It would be >>> cleaner to provide a feature similar to what you describe that could >>> be used for that purpose as well as others. However, where does the >>> "parameterless function" come from? Is it a regular PLv8 (or for this >>> purpose PL/Tcl) function expected to be present in pg_proc? >> Yes, it's a regular PLv8 function. > OK ... how do you handle security considerations? Can the GUC be set > at any time/by anybody? What determines whether you have permissions > to call the particular function? > > It can be set by anyone, IIRC. Maybe it should be SUSET only, I don't know. It's executed as the session owner. Execute permission on the function are determined the same way as for any function. It's an ordinary function call. The only difference is in how the call gets triggered. cheers andrew -- Andrew Dunstan https://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
-
Re: I propose killing PL/Tcl's "modules" infrastructure
Tom Lane <tgl@sss.pgh.pa.us> — 2017-02-26T18:09:31Z
I wrote: > Now, we could try to fix this bug, and add the regression test coverage > that the code clearly lacks, and upgrade the documentation about it from > its currently very sad state. But I think the right answer is just to > remove the feature altogether. BTW, I tried to poke into what it would take to write some regression test coverage, and immediately hit a show-stopper: $ pltcl_loadmod --help can't find package Pgtcl while executing "package require Pgtcl" (file "/home/postgres/testversion/bin/pltcl_loadmod" line 10) That is, these scripts depend on the old Tcl client library, which we removed from our core distro in 2004 (cf commit 41fa9e9ba). So we don't even have a way of creating self-contained tests for them. At this point I think there's no question that src/pl/tcl/modules/ needs to go away. There might be some argument for retaining the "autoload the unknown module" startup behavior in pltcl proper, but I think that Andrew Dunstan's proposal of calling an initialization function is a far cleaner solution. regards, tom lane -
Re: I propose killing PL/Tcl's "modules" infrastructure
Tom Lane <tgl@sss.pgh.pa.us> — 2017-02-26T19:54:42Z
Andrew Dunstan <andrew.dunstan@2ndquadrant.com> writes: > [ we should borrow plv8's start_proc idea for pltcl ] So after thinking about this for awhile, I propose the following concrete spec for replacing pltcl's autoload-unknown behavior: * Invent two GUCs, pltcl.start_proc and pltclu.start_proc, which default to empty strings but can be set to the name (possibly schema-qualified) of a parameterless function that must be of the corresponding language. When so set, the specified function is called once just after creation of any pltcl or pltclu interpreter. * The function is called as the current SQL user, who must have permissions to call it. (This decision is more or less forced by the fact that pltcl interpreters are per-userid; we want whatever initialization gets done to be done in the new interpreter, and it would be very weird and probably a security hole if we weren't running as the same SQL userid that owns the interpreter.) * Pre-call error conditions (no such function, wrong language, or no permissions) result in a WARNING but the original operation continues. (Making these WARNING not ERROR is possibly debatable, but it looks like that's what plv8 does.) * If the function itself throws an error, we do a transaction abort, but the Tcl interpreter remains in existence and is deemed usable for later operations. So a failing start_proc can't lock you out of pltcl operations altogether. * I'm not terribly comfortable about what the permissions levels of the GUCs ought to be. The call permissions check means that you can't use either GUC to call a function you couldn't have called anyway. However there's a separate risk of trojan-horse execution, analogous to what a blackhat can get by controlling the search_path GUC setting used by a SECURITY DEFINER function: the function might intend to invoke some pltcl function, but you can get it to invoke some other pltcl function in addition to that. I think this means we had better make pltclu.start_proc be SUSET, but from a convenience standpoint it'd be nice if pltcl.start_proc were just USERSET. An argument in favor of that is that we don't restrict search_path which is just as dangerous; but on the other hand, existing code should be expected to know that it needs to beware of search_path, while it wouldn't know that start_proc needs to be locked down. Maybe we'd better make them both SUSET. Comments? regards, tom lane
-
Re: I propose killing PL/Tcl's "modules" infrastructure
Robert Haas <robertmhaas@gmail.com> — 2017-02-27T06:53:04Z
On Mon, Feb 27, 2017 at 1:24 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > * I'm not terribly comfortable about what the permissions levels of the > GUCs ought to be. The call permissions check means that you can't use > either GUC to call a function you couldn't have called anyway. However > there's a separate risk of trojan-horse execution, analogous to what a > blackhat can get by controlling the search_path GUC setting used by a > SECURITY DEFINER function: the function might intend to invoke some pltcl > function, but you can get it to invoke some other pltcl function in > addition to that. I think this means we had better make pltclu.start_proc > be SUSET, but from a convenience standpoint it'd be nice if > pltcl.start_proc were just USERSET. An argument in favor of that is that > we don't restrict search_path which is just as dangerous; but on the other > hand, existing code should be expected to know that it needs to beware of > search_path, while it wouldn't know that start_proc needs to be locked > down. Maybe we'd better make them both SUSET. Making them SUSET sounds like a usability fail to me. I'm not sure how bad the security risks of NOT making them SUSET are, but I think if we find that SUSET is required for safety then we've squeezed most of the value out of the feature. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
-
Re: I propose killing PL/Tcl's "modules" infrastructure
Tom Lane <tgl@sss.pgh.pa.us> — 2017-02-27T12:48:13Z
Robert Haas <robertmhaas@gmail.com> writes: > On Mon, Feb 27, 2017 at 1:24 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote: >> * I'm not terribly comfortable about what the permissions levels of the >> GUCs ought to be. ... Maybe we'd better make them both SUSET. > Making them SUSET sounds like a usability fail to me. I'm not sure > how bad the security risks of NOT making them SUSET are, but I think > if we find that SUSET is required for safety then we've squeezed most > of the value out of the feature. Well, the feature it's replacing (autoload an "unknown" module) had to be squeezed down to being effectively superuser-only, so we're not really losing anything compared to where we are now. And the more I think about it, the less I think we can introduce a new security-critical GUC and just leave it as USERSET. regards, tom lane
-
Re: I propose killing PL/Tcl's "modules" infrastructure
Andrew Dunstan <andrew.dunstan@2ndquadrant.com> — 2017-02-27T14:36:56Z
On 02/26/2017 02:54 PM, Tom Lane wrote: > * I'm not terribly comfortable about what the permissions levels of the > GUCs ought to be. The call permissions check means that you can't use > either GUC to call a function you couldn't have called anyway. However > there's a separate risk of trojan-horse execution, analogous to what a > blackhat can get by controlling the search_path GUC setting used by a > SECURITY DEFINER function: the function might intend to invoke some pltcl > function, but you can get it to invoke some other pltcl function in > addition to that. I think this means we had better make pltclu.start_proc > be SUSET, but from a convenience standpoint it'd be nice if > pltcl.start_proc were just USERSET. An argument in favor of that is that > we don't restrict search_path which is just as dangerous; but on the other > hand, existing code should be expected to know that it needs to beware of > search_path, while it wouldn't know that start_proc needs to be locked > down. Maybe we'd better make them both SUSET. > plperl's on_plperl_init and on_plperlu_init settings are both SUSET. In practice with PLv8 this is usually set in the config file in my experience. cheers andrew -- Andrew Dunstan https://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
-
Re: I propose killing PL/Tcl's "modules" infrastructure
Tom Lane <tgl@sss.pgh.pa.us> — 2017-02-27T20:42:26Z
Andrew Dunstan <andrew.dunstan@2ndquadrant.com> writes: > On 02/26/2017 02:54 PM, Tom Lane wrote: >> * I'm not terribly comfortable about what the permissions levels of the >> GUCs ought to be. > plperl's on_plperl_init and on_plperlu_init settings are both SUSET. > In practice with PLv8 this is usually set in the config file in my > experience. Ah, I'd forgotten about that precedent. Being consistent with that seems like a good thing --- and I agree with your point that this would likely usually be set in postgresql.conf anyway, making the issue rather moot. I noticed also that the precedent of plperl is that if the init code fails, we give up on use of that interpreter, and try again to run the init code if plperl is used again. This is different from what I had in my draft spec but it probably is a better definition; without it, people might find themselves running in Tcl interpreters that do not behave as intended. In sum, then, PFA a patch that adds these GUCs. They're still function names but otherwise the details are closer to what plperl does. regards, tom lane
-
Re: I propose killing PL/Tcl's "modules" infrastructure
Jim Nasby <jim.nasby@bluetreble.com> — 2017-03-01T22:31:36Z
On 2/27/17 2:42 PM, Tom Lane wrote: > + SET pltcl.start_proc = 'no_such_function'; > + select tcl_int4add(1, 2); > + ERROR: function no_such_function() does not exist Can the error message be more explicit somehow? Otherwise people will be quite confused as to where no_such_function() is coming from. <begin creature-feep> BTW, I'd think this functionality would be valuable for every PL. Maybe it's worth adding formal support for it to pg_language et all and leave it up to each language to decide whether it's supported or not? Multiple init functions might be useful too, similar to how we support multiple hook functions (though presumably a field of regproc[] is a better way to handle that...) I'm also wondering if there'd be value to supporting code that runs on each function invocation. -- Jim Nasby, Data Architect, Blue Treble Consulting, Austin TX Experts in Analytics, Data Architecture and PostgreSQL Data in Trouble? Get it in Treble! http://BlueTreble.com 855-TREBLE2 (855-873-2532)
-
Re: I propose killing PL/Tcl's "modules" infrastructure
Tom Lane <tgl@sss.pgh.pa.us> — 2017-03-02T17:59:58Z
Jim Nasby <Jim.Nasby@BlueTreble.com> writes: > On 2/27/17 2:42 PM, Tom Lane wrote: >> + SET pltcl.start_proc = 'no_such_function'; >> + select tcl_int4add(1, 2); >> + ERROR: function no_such_function() does not exist > Can the error message be more explicit somehow? Otherwise people will be > quite confused as to where no_such_function() is coming from. After thinking about that for awhile, it seemed like the most useful thing to do is to set up an errcontext callback that will be active throughout execution of the start_proc. That will cover both setup failures like the above, and errors occurring within the start_proc, which could be equally confusing if you think they apply to the function you initially tried to call. v2 patch attached that does it like that. > <begin creature-feep> > BTW, I'd think this functionality would be valuable for every PL. Maybe for some. I see no value in putting anything about it in pg_language though. I don't see that we could share any useful amount of mechanism, and it won't necessarily look the same in every language --- plperl for instance prefers code fragments over procedures. In any case, I'm not going there in this patch. regards, tom lane
-
Re: I propose killing PL/Tcl's "modules" infrastructure
Robert Haas <robertmhaas@gmail.com> — 2017-03-04T08:24:11Z
On Thu, Mar 2, 2017 at 11:29 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > After thinking about that for awhile, it seemed like the most useful thing > to do is to set up an errcontext callback that will be active throughout > execution of the start_proc. That will cover both setup failures like > the above, and errors occurring within the start_proc, which could be > equally confusing if you think they apply to the function you initially > tried to call. v2 patch attached that does it like that. +1 for that approach. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company