* Joe Conway ([EMAIL PROTECTED]) wrote: > Stephen Frost wrote: >> No, it doesn't... Said arbitrary function in y, in untrusted language >> z, could be perfectly safe for users to call. > ^^^^^ > *Could* be. But we just said that the admin was not interested in reading > the documentation, and has no idea if it *is* safe. And, it very well might > not be safe. We have no way to know in advance because the language is > untrusted.
If it's not safe then it shouldn't be enabled by default. That's pretty much the point. If something is known to be unsafe for users to have access to then it should be disabled by default. >> Being written in an untrusted language has got next to nothing to do with >> the security >> implications of a particular function. It depends entirely on what the >> function is *doing*, not what language it's written in. > > Sure it matters. A function written in a trusted language is known to be > safe, a priori. A function written in an untrusted language has no such > guarantees, and therefore has to be assumed unsafe unless carefully proved > otherwise. I see.. So all the functions in untrusted languages that come with PG initially should be checked over by every sysadmin when installing PG every time... And the same for PostGIS, and all of the PL's that use untrusted languages? On my pretty modest install that's 2,206 functions. For some reason I see something of a difference between 'generate_series' and 'dblink' in terms of security and which one I'm comfortable having enabled by default and which one I'm not. Thanks, Stephen
signature.asc
Description: Digital signature