Received: from localhost (unknown [200.46.204.183]) by postgresql.org (Postfix) with ESMTP id 1DC8B650218 for ; Fri, 1 Aug 2008 21:02:15 -0300 (ADT) Received: from postgresql.org ([200.46.204.86]) by localhost (mx1.hub.org [200.46.204.183]) (amavisd-maia, port 10024) with ESMTP id 61685-09 for ; Fri, 1 Aug 2008 21:01:56 -0300 (ADT) Received: from news.hub.org (news.hub.org [200.46.204.72]) by postgresql.org (Postfix) with ESMTP id A8B4064FF57 for ; Fri, 1 Aug 2008 21:00:50 -0300 (ADT) Received: from news.hub.org (news.hub.org [200.46.204.72]) by news.hub.org (8.14.1/8.14.1) with ESMTP id m7200f4Q064482 for ; Fri, 1 Aug 2008 21:00:41 -0300 (ADT) (envelope-from news@news.hub.org) Received: (from news@localhost) by news.hub.org (8.14.1/8.14.1/Submit) id m71Npjif057780 for pgsql-hackers@postgresql.org; Fri, 1 Aug 2008 20:51:45 -0300 (ADT) (envelope-from news) From: Andrew Gierth X-Newsgroups: pgsql.hackers Subject: Re: [Pljava-dev] Should creating a new base type require superuser status? Date: Sat, 02 Aug 2008 00:51:47 +0100 Organization: disorganised Lines: 19 Message-ID: <87zlnwnvjg.fsf@news-spur.riddles.org.uk> References: <19715.1217447413@sss.pgh.pa.us> <20080730220753.GG3977@alvh.no-ip.org> <23846.1217539394@sss.pgh.pa.us> <48937589.10304@tada.se> <23725.1217626961@sss.pgh.pa.us> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cancel-Lock: sha1:aTrFOuRgdlLOrXxKc/K8uNeex9Y= sha1:3EoXJK5xXL/WdOmXgyXSTqOQO3c= User-Agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/22.1 (berkeley-unix) To: pgsql-hackers@postgresql.org X-Virus-Scanned: Maia Mailguard 1.0.1 X-Archive-Number: 200808/32 X-Sequence-Number: 121786 >>>>> "Tom" == Tom Lane writes: >> Tom, could you please elaborate where you see a security hole? Tom> The problem that we've seen in the past shows up when the user Tom> lies in the CREATE TYPE command, specifying type representation Tom> properties that are different from what the underlying functions Tom> expect. In particular, if it's possible to pass a pass-by-value Tom> integer to a function that's expecting a pass-by-reference Tom> datum, you can misuse the function to access backend memory. It strikes me that type output functions are routinely invoked by superusers (e.g. during pg_dump), and therefore if a non-superuser can create a type, that seems to imply that there's no way for a superuser to safely examine or dump the content of the database without risking the execution of untrusted code, correct? -- Andrew (irc:RhodiumToad)