Gregory Stark <[EMAIL PROTECTED]> writes: > "Aidan Van Dyk" <[EMAIL PROTECTED]> writes: >> What if you didn't need super-user privileges to load "C" functions, on >> the conditions that: >> 1) There is no / in the obj_file filename (or some other "sanitizing" >> rules) >> 2) You're database owner
> That's an interesting idea. And utterly, utterly insecure. The fact that the referenced object file is a "trusted" Postgres module isn't enough to make it safe --- the user can still play hob with the system by creating functions with the wrong argument/result types, pointing at exported symbols that weren't meant to be callable functions, creating broken index opclasses from the functions, etc. I think you'd need to move the security gating up a level, and somehow see the SQL-language installation and deinstallation scripts as trusted. This goes back to the question of what is a module anyway. Like Andrew, I'm a bit disturbed that people feel free to propose to implement this stuff when they evidently have read none of the prior discussions. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers