* KaiGai Kohei (kaigai@ak.jp.nec.com) wrote:
>> I agree that that's no good.
As do I.
> My concern is that superuser is allowed to modify system catalog
> by hand, like:
>
> UPDATE pg_proc SET probin = '/tmp/malicious_library.so'
> WHERE oid = ...;
That UPDATE still goes through permissions checking, and that checking
even includes an explicit check when system catalogs are involved.
Appropriate hooks in that permission checking could prevent this from
ever being allowed.
> It is logically same as ALTER FUNCTION.
Sure, but I think it's straight-forward to make a case for "don't update
the system catalogs when you're running SE-PostgreSQL, use the
appropriate ALTER commands", and then remove the ability to do so when
SE-PostgreSQL is enabled.
>> Can you (or someone) provide a pointer to the archives? I can't
>> immediately see any reason why that problem wouldn't be fixable.
>
> IIRC, 0racle or M$ has a patent to rewrite WHERE clause for security
> purpose, so Tom suggested it should be implemented using a hook
> deployed within executor.
> At least, it also enables code more simple.
It'd probably be Oracle.. I'm not a big fan of that approach anyway
though, although I don't have any particular reason beyond 'it feels
kludgy' at the moment.
Thanks,
Stephen