Andrew Dunstan wrote: > > > Bruce Momjian wrote: > > >As a super-user, could an attacker load a server-side language and > >access the backend environment variable PGDATA. > > > > > > plperl won't do it, but plperlu will (as expected I guess). But the > superuser will have to jump through some explicit hoops in order to get > there, which is different from providing such facilities out of the box.
I am thinking they could easily use pgtcl. I don't think the hoops are very high. -- Bruce Momjian | http://candle.pha.pa.us [EMAIL PROTECTED] | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073 ---------------------------(end of broadcast)--------------------------- TIP 2: you can get off all lists at once with the unregister command (send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])
