Received: from localhost (unknown [200.46.204.183]) by postgresql.org (Postfix) with ESMTP id 63406650207 for ; Wed, 30 Jul 2008 19:08:02 -0300 (ADT) Received: from postgresql.org ([200.46.204.86]) by localhost (mx1.hub.org [200.46.204.183]) (amavisd-maia, port 10024) with ESMTP id 88427-04 for ; Wed, 30 Jul 2008 19:07:55 -0300 (ADT) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from lists.commandprompt.com (host-159.commandprompt.net [207.173.203.159]) by postgresql.org (Postfix) with ESMTP id 4A7646501D6 for ; Wed, 30 Jul 2008 19:07:59 -0300 (ADT) Received: from perhan.alvh.no-ip.org (190-95-31-93.bk17-dsl.surnet.cl [190.95.31.93]) (authenticated bits=0) by lists.commandprompt.com (8.13.8/8.13.8) with ESMTP id m6UMATUF001681 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 30 Jul 2008 15:10:32 -0700 Received: by perhan.alvh.no-ip.org (Postfix, from userid 1000) id 45C0B47C94; Wed, 30 Jul 2008 18:07:53 -0400 (CLT) Date: Wed, 30 Jul 2008 18:07:53 -0400 From: Alvaro Herrera To: Tom Lane Cc: pgsql-hackers@postgreSQL.org Subject: Re: Should creating a new base type require superuser status? Message-ID: <20080730220753.GG3977@alvh.no-ip.org> References: <19715.1217447413@sss.pgh.pa.us> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <19715.1217447413@sss.pgh.pa.us> User-Agent: Mutt/1.5.18 (2008-05-17) X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (lists.commandprompt.com [207.173.203.159]); Wed, 30 Jul 2008 15:10:33 -0700 (PDT) X-Virus-Scanned: Maia Mailguard 1.0.1 X-Spam-Status: No, hits=0 tagged_above=0 required=5 tests=none X-Spam-Level: X-Archive-Number: 200807/1450 X-Sequence-Number: 121710 Tom Lane wrote: > If you're not clear on why CREATE TYPE in the hands of a bad guy is > dangerous, here are a couple of reasons: > > * By specifying type representation details (len/byval/align) that are > different from what the type's functions expect, you could trivially > crash the backend, and less trivially use a pass-by-reference I/O > function to read out the contents of backend memory. I think being able to return cstring from a user defined function is quite dangerous already. I doubt we would ever give that capability to non-superusers. I do agree that creating base types should require a superuser though. It too seems dangerous just on principle, even if today there's no actual hole (that we already know of). -- Alvaro Herrera http://www.CommandPrompt.com/ The PostgreSQL Company - Command Prompt, Inc.