Received: from localhost (unknown [200.46.204.183]) by postgresql.org (Postfix) with ESMTP id 8EAA8650010 for ; Sat, 2 Aug 2008 03:45:48 -0300 (ADT) Received: from postgresql.org ([200.46.204.86]) by localhost (mx1.hub.org [200.46.204.183]) (amavisd-maia, port 10024) with ESMTP id 16431-02 for ; Sat, 2 Aug 2008 03:45:43 -0300 (ADT) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from tada.se (1-1-2-48a.rny.sth.bostream.se [82.182.133.12]) by postgresql.org (Postfix) with ESMTP id B2E2D64FD3B for ; Sat, 2 Aug 2008 03:45:44 -0300 (ADT) Received: from [10.59.1.70] (unverified [88.131.27.66]) by tada.se (SurgeMail 3.9e) with ESMTP id 165715-1788151 for multiple; Sat, 02 Aug 2008 08:44:11 +0200 Message-ID: <48940239.8080401@tada.se> Date: Sat, 02 Aug 2008 08:44:09 +0200 From: Thomas Hallgren User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: Tom Lane CC: Kris Jurka , pljava-dev@pgfoundry.org, Alvaro Herrera , pgsql-hackers@postgresql.org Subject: Re: Re: [Pljava-dev] Should creating a new base type require superuser status? References: <19715.1217447413@sss.pgh.pa.us> <20080730220753.GG3977@alvh.no-ip.org> <23846.1217539394@sss.pgh.pa.us> <48937589.10304@tada.se> <23725.1217626961@sss.pgh.pa.us> In-Reply-To: <23725.1217626961@sss.pgh.pa.us> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: 88.131.27.66 X-Authenticated-User: thomas@tada.se X-Virus-Scanned: Maia Mailguard 1.0.1 X-Spam-Status: No, hits=0.1 tagged_above=0 required=5 tests=RDNS_DYNAMIC=0.1 X-Spam-Level: X-Archive-Number: 200808/34 X-Sequence-Number: 121788 Tom Lane wrote: > Thomas Hallgren writes: > >> Tom, could you please elaborate where you see a security hole? >> > > The problem that we've seen in the past shows up when the user lies in > the CREATE TYPE command, specifying type representation properties that > are different from what the underlying functions expect. In particular, > if it's possible to pass a pass-by-value integer to a function > that's expecting a pass-by-reference datum, you can misuse the function > to access backend memory. > > This is a non-issue in PL/Java. An integer parameter is never passed by reference and there's no way the PL/Java user can get direct access to backend memory. > I gather from looking at the example that Kris referenced that there's > some interface code in between the SQL function call and the user's Java > code, and that that interface code is itself looking at the declared > properties of the SQL type to decide what to do. So to the extent that > that code is (a) bulletproof against inconsistencies and (b) not > subvertible by the PL/Java user, it might be that there's no hole in > practice. But assumption (b) seems pretty fragile to me. > > I think that assumption is without ground. Java doesn't permit you to access memory unless you use Java classes (java.nio stuff) that is explicitly designed to do that and you need native code to set such things up. A PL/Java user can not do that unless he is able to link in other shared objects or dll's to the backend process. Based on that, I claim that your statement about a "security hole a mile wide" is incorrect. PL/Java is not subject to issues relating to misuse of backend memory. Regards, Thomas Hallgren