<snip good explanation. Thanks.> > > Let me suggest another nice way for a superuser to do > whatever he wants. > > How about "CREATE UNTRUSTED PROCEDURAL LANGUAGE"? If you have say > > pl/perl or pl/tcl on the system, you just create the > untrusted version > > and away you go - because they use the same .so. > > Yeah, I was thinking earlier about proposing that the trusted > and untrusted versions need to be distinct .so's, so that the > admin can physically remove the untrusted ones to prevent > this scenario. > But, again, the existence of security hole A is not > justification for introducing security hole B. > > > Instead of trying to pick on one feature, how about trying > something > > constructive instead? > > That'd be fine with me --- but we have to introduce that > *before* we add obvious new security risks, not after.
So what do you think of the proposed GUC? Or what about a parameter to restrict both COPY and the utility functions to certain subdirs only? (BTW, I was under the impression that the admin functions were restricted to the pgdata directory already, but I could be wrong - I don't have the latest version of the patch around) //Magnus ---------------------------(end of broadcast)--------------------------- TIP 9: In versions below 8.0, the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match