On Tue, 2006-04-11 at 17:20 -0400, Tom Lane wrote:
> No, I'm saying that having access to a PL renders certain classes of
> attacks significantly more efficient. A determined attacker with
> unlimited time may not care, but in the real world, security is
> relative.
That's a fair point.
Perhaps a compromise would be to enable pl/pgsql by default, but not
grant the USAGE privilege on it. This would allow superusers to define
pl/pgsql functions without taking any additional steps. Non-superusers
could be given access to pl/pgsql via a simple GRANT -- either for all
users via GRANT TO PUBLIC, or on a more granular basis as desired. This
would lower the barrier to using pl/pgsql by a fairly significant
margin, but not cause any additional security exposure that I can see.
-Neil