Обсуждение: Expect problems with PL/Python and Python version 2.2.3+ & 2.3+
My understanding (from the documentation and from a quick code check is that the PL/Python code uses Python's "rexec" ability to provide a restricted execution environment for the Python code. For those unfamiliar with it, rexec provides a restricted execution environment, limiting access to certain Python and system routines. This functionality is being deprecated in Python, due to security problems and lack of maintainership to resolve them... Python 2.2.3 will ship next Friday with rexec disabled, and Python version 2.3 should be out in about a month and will also not have rexec. The first issue to note is that currently rexec does have some security problems which mean that enabling pl/python may cause users to gain access to the system as the user PostgreSQL is running as. I'm not very familiar with these problems, just that there are some... It may be appropriate to just remove the rexec, with the result being that PL/Python code will be able to have access to basically anything on the system as the user PostgreSQL is running as. So, heads up... 2.2.3 and 2.3 and later versions of Python will probably not work with PostgreSQL and PL/Python. Sean -- Brooks's Law of Prototypes: Plan to throw one away, you will anyhow. Sean Reifschneider, Inimitably Superfluous <jafo@tummy.com> tummy.com, ltd. - Linux Consulting since 1995. Qmail, Python, SysAdmin Back off man. I'm a scientist. http://HackingSociety.org/
Sean Reifschneider <jafo@tummy.com> writes: > For those unfamiliar with it, rexec provides a restricted execution > environment, limiting access to certain Python and system routines. > This functionality is being deprecated in Python, due to security > problems and lack of maintainership to resolve them... Is no substitute solution being offered? > It may be appropriate to just remove the rexec, with the result being > that PL/Python code will be able to have access to basically anything on > the system as the user PostgreSQL is running as. We would have to change it to an untrusted language. We could do that, but it would mean a major reduction in the usefulness of plpython. Few DBAs of average paranoia levels want to give superuser access to their database users. regards, tom lane
Guido van Rossum <guido@python.org> writes: > I'm not saying I'm not sorry about this state of affairs. But I > prefer to be upfront and say "there is currently no secure restricted > execution mode" rather than pretend everything is cool and let bad > guys hack into your system via the rexec holes. Fair enough (and thanks for the prompt, authoritative answer!) Looks like we either change plpython to untrusted status or remove it entirely :-(. Sean, do you have time to prepare a patch for the former? regards, tom lane
> Sean Reifschneider <jafo@tummy.com> writes: > > For those unfamiliar with it, rexec provides a restricted execution > > environment, limiting access to certain Python and system routines. > > This functionality is being deprecated in Python, due to security > > problems and lack of maintainership to resolve them... > > Is no substitute solution being offered? There are hopes that rexec will eventually be fixed. But nobody has signed up to do the work. So for the time being, no. (The fixes aren't simple; the problem is really deep in the bowels of the new class/type unification code, and a fix will require serious rethinking of the security implications of everything there.) > > It may be appropriate to just remove the rexec, with the result being > > that PL/Python code will be able to have access to basically anything on > > the system as the user PostgreSQL is running as. > > We would have to change it to an untrusted language. We could do that, > but it would mean a major reduction in the usefulness of plpython. > Few DBAs of average paranoia levels want to give superuser access to > their database users. Then they shouldn't trust rexec either, at least not with Python 2.2 and up. I can't divulge the details, but there are quite a few known attacks on rexec. The python-dev list archives have details. I'm not saying I'm not sorry about this state of affairs. But I prefer to be upfront and say "there is currently no secure restricted execution mode" rather than pretend everything is cool and let bad guys hack into your system via the rexec holes. You could always downgrade to Python 2.1.3. --Guido van Rossum (home page: http://www.python.org/~guido/)
On Mon, May 26, 2003 at 02:46:36AM -0400, Tom Lane wrote: >Looks like we either change plpython to untrusted status or remove it >entirely :-(. Sean, do you have time to prepare a patch for the former? I don't really have the level of familiarity with the PostgreSQL code to do that in a timely manner. Sorry. Sean -- Q. What's the difference between Batman and Bill Gates?A. When Batman fought the Penguin, he won. Sean Reifschneider, Inimitably Superfluous <jafo@tummy.com> tummy.com, ltd. - Linux Consulting since 1995. Qmail, Python, SysAdmin
Tilo Schwarz <list@tilo-schwarz.de> writes: > Tom Lane writes: >> Looks like we either change plpython to untrusted status or remove it >> entirely :-(. Sean, do you have time to prepare a patch for the former? > Please, don't remove it. We (a group of "trusted" people using Postgresql) are > actually waiting for plpython to become untrusted, so we can use the full > power of python (e.g. file access) from Postgresql. Well, Sean disclaimed the project, so you seem to be next in line ;-) Go to it ... regards, tom lane