Stephen Frost <sfrost@snowman.net> writes:
> If you want to secure your system against a superuser()-level intrusion
> then you need to secure the unix account, or disable creation of
> C-language and other untrusted languages (at least).
Very likely --- which is why Magnus' idea of an explicit switch to
prevent superuser filesystem access seems attractive to me. It'd
have to turn off LOAD and creation of new C functions as well as COPY
and the other stuff we discussed.
However, once again, the availability of security hole A does not
justify creating security hole B. For example, even with creation
of new C functions disabled, a superuser attacker might be able to use a
file-write function to overwrite an existing .so and thereby subvert an
existing C-function definition to do something bad.
regards, tom lane