Re: sandboxing untrusted code
От | Jeff Davis |
---|---|
Тема | Re: sandboxing untrusted code |
Дата | |
Msg-id | c501309db4e199f93cd3acb200cbd8394651302e.camel@j-davis.com обсуждение исходный текст |
Ответ на | Re: sandboxing untrusted code (Robert Haas <robertmhaas@gmail.com>) |
Список | pgsql-hackers |
On Tue, 2023-09-05 at 12:25 -0400, Robert Haas wrote: > I think I've more or less answered this already -- fully sandboxed > code can't make reference to external data sources, from which it > follows that it can't exercise SELECT (and most other privileges). By what principle are we allowing EXECUTE but not SELECT? In theory, at least, a function could hold secrets in the code, e.g.: CREATE FUNCTION answer_to_ultimate_question() RETURNS INT LANGUAGE plpgsql AS $$ BEGIN RETURN 42; END; $$; Obviously that's a bad idea in plpgsql, because anyone can just read pg_proc. And maybe C would be handled differently somehow, so maybe it all works. But it feels like something is wrong there: it's fine to execute the answer_to_ultimate_question() not because Bob has an EXECUTE privilege, but because the sandbox renders any security concerns with *anyone* executing the function moot. So why bother checking the EXECUTE privilege at all? > And that's where I see the distinction between *having* permissions > and those permissions being *available* in a particular context. Bob > has permission to give Alice an extra $1000 or whatever if he has the > money and wishes to do so. But those permissions are probably not > *available* in the context where Bob is following a set of > instructions from Alice. If Bob's brain spontaneously generated the > idea "let's give Alice a $1000 tip because her vacation home was > absolutely amazing and I am quite rich," he would probably go right > ahead and act on that idea and that is completely fine. But when Bob > encounters that same idea *on a list of instructions provided by > Alice*, the same operation is blocked *because it came from Alice*. > If > the list of instructions from Alice said to sweep the parlor, Bob > would just go ahead and do it. Alice has permission to induce Bob to > sweep the parlor, but does not have permission to induce Bob to give > her a bunch of extra money. In the real world example, sweeping the parlor has a (slight) cost to the person doing it and it (slightly) matters who does it. In Postgres, we don't do any CPU accounting per user, and it's all executed under the same PID, so it really doesn't matter. So it raises the question: why would we not simply say that this list of instructions should be executed by the person who wrote it, in which case the existing privilege mechanism would work just fine? > And in the database context, I think it's fine if Alice induces Bob > to > compute some values or look at the value of work_mem, but I don't > think it's OK if Alice induces Bob to make her a superuser. If all the code can do is compute some values or look at work_mem, perhaps the function needs no privileges at all (or some minimal privileges)? You explained conceptually where you're coming from, but I still don't see much of a practical difference between having privileges but being in a context where they won't be used, and dropping the privileges entirely during that time. I suppose the answer is that the EXECUTE privilege will still be used, but as I said above, that doesn't entirely make sense to me, either. Regards, Jeff Davis
В списке pgsql-hackers по дате отправления: