untrusted languages and non-global superusers?
I'm using plphpu and I'd like to allow the regular
database user to use it, but since it's "untrusted" it
requires users to be superusers. If I have to do this,
I don't want the user to be a superuser for all
databases. Is it possible to grant superuser status to
a user for a specific database? All I'm familiar with
is "alter user joe createuser." Or is there a better
way of handling this language and permission issue?
(The function uses mail(), so IIRC that necessitates
using plphpu).
Thanks,
CSN
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
CSN <cool_screen_name90001@yahoo.com> writes:
I'm using plphpu and I'd like to allow the regular
database user to use it, but since it's "untrusted" it
requires users to be superusers. If I have to do this,
I don't want the user to be a superuser for all
databases. Is it possible to grant superuser status to
a user for a specific database?
Exactly how would you prevent him from converting that into global
access? Especially if you're going to give him use of an untrusted
language? He could easily rewrite any configuration file you might
think is going to lock him out of your other databases.
(The function uses mail(), so IIRC that necessitates
using plphpu).
Sending mail from a database function (or doing anything else that
involves external side-effects) is generally A Bad Idea, for reasons
that have been covered many times in the list archives.
regards, tom lane
--- Tom Lane <tgl@sss.pgh.pa.us> wrote:CSN <cool_screen_name90001@yahoo.com> writes:
I'm using plphpu and I'd like to allow the regular
database user to use it, but since it's"untrusted" it
requires users to be superusers. If I have to do
this,
I don't want the user to be a superuser for all
databases. Is it possible to grant superuserstatus to
a user for a specific database?
Exactly how would you prevent him from converting
that into global
access? Especially if you're going to give him use
of an untrusted
language? He could easily rewrite any configuration
file you might
think is going to lock him out of your other
databases.
You lost me - how is any of that possible?
(The function uses mail(), so IIRC that
necessitates
using plphpu).
Sending mail from a database function (or doing
anything else that
involves external side-effects) is generally A Bad
Idea, for reasons
that have been covered many times in the list
archives.
Why, exactly? In this situation I just set up a
trigger that sends a welcome email to newly inserted
members. Very convenient.
CSN
____________________________________________________
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs
Am Mittwoch, den 03.08.2005, 21:29 -0700 schrieb CSN:
--- Tom Lane <tgl@sss.pgh.pa.us> wrote:CSN <cool_screen_name90001@yahoo.com> writes:
I'm using plphpu and I'd like to allow the regular
database user to use it, but since it's"untrusted" it
requires users to be superusers. If I have to do
this,
I don't want the user to be a superuser for all
databases. Is it possible to grant superuserstatus to
a user for a specific database?
Exactly how would you prevent him from converting
that into global
access? Especially if you're going to give him use
of an untrusted
language? He could easily rewrite any configuration
file you might
think is going to lock him out of your other
databases.You lost me - how is any of that possible?
untrusted languages run in the context of the database
and have full access to the filesystem. In short, you
can do anything with them your database can do + a lot more.
(The function uses mail(), so IIRC that
necessitates
using plphpu).
Sending mail from a database function (or doing
anything else that
involves external side-effects) is generally A Bad
Idea, for reasons
that have been covered many times in the list
archives.Why, exactly? In this situation I just set up a
trigger that sends a welcome email to newly inserted
members. Very convenient.
Why cant your application handle this?
Otoh, why dont you provide a function to send mail,
which takes some parameters and just let your users
use them? No need for everybody to write her own
mail function.
--- Tino Wildenhain <tino@wildenhain.de> wrote:(The function uses mail(), so IIRC that
necessitates
using plphpu).
Sending mail from a database function (or doing
anything else that
involves external side-effects) is generally ABad
Idea, for reasons
that have been covered many times in the list
archives.Why, exactly? In this situation I just set up a
trigger that sends a welcome email to newlyinserted
members. Very convenient.
Why cant your application handle this?
Otoh, why dont you provide a function to send mail,
which takes some parameters and just let your users
use them? No need for everybody to write her own
mail function.
Convenience! I want the email sent whether the member
is added via the web interface, directly in the
database, from the command line, etc. I don't see any
downside. It's only one user that'll be using this
function.
CSN
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
CSN wrote:
Why cant your application handle this?
Otoh, why dont you provide a function to send mail,
which takes some parameters and just let your users
use them? No need for everybody to write her own
mail function.Convenience! I want the email sent whether the member
is added via the web interface, directly in the
database, from the command line, etc. I don't see any
downside. It's only one user that'll be using this
function.
But it does mean that user is running code as the database user, so if
you don't trust them with that, don't do it.
What I use with this is a "message_queue" table and a cron-job that runs
once a minute (or every 5). It keeps the two processes separate (decide
to send a message and assemble the message and send it) and also lets
you get more complicated (in one example I need to build a report,
produce a PDF and then attach it to the email I generate).
--
Richard Huxton
Archonet Ltd
Am Donnerstag, den 04.08.2005, 01:35 -0700 schrieb CSN:
--- Tino Wildenhain <tino@wildenhain.de> wrote:(The function uses mail(), so IIRC that
necessitates
using plphpu).
Sending mail from a database function (or doing
anything else that
involves external side-effects) is generally ABad
Idea, for reasons
that have been covered many times in the list
archives.Why, exactly? In this situation I just set up a
trigger that sends a welcome email to newlyinserted
members. Very convenient.
Why cant your application handle this?
Otoh, why dont you provide a function to send mail,
which takes some parameters and just let your users
use them? No need for everybody to write her own
mail function.Convenience! I want the email sent whether the member
is added via the web interface, directly in the
database, from the command line, etc. I don't see any
Well, I also do such things with a small script which
basically LISTENs to notify from database, spools the
mails and go sleep again.
downside. It's only one user that'll be using this
function.
If so - why bother if the user can/cannot use untrusted
language? You write the function one time as superuser
and ready you are.
This isnt different if many users are going to use this
function. But they dont have to write or change it to use it.
--
Tino Wildenhain <tino@wildenhain.de>
--- Tino Wildenhain <tino@wildenhain.de> wrote:Convenience! I want the email sent whether the
member
is added via the web interface, directly in the
database, from the command line, etc. I don't seeany
Well, I also do such things with a small script
which
basically LISTENs to notify from database, spools
the
mails and go sleep again.
Could you elaborate how you do this? IIRC, there's an
example in the docs using C, but I'd prefer using a
scripting language.
Thanks,
CSN
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Am Donnerstag, den 04.08.2005, 02:24 -0700 schrieb CSN:
--- Tino Wildenhain <tino@wildenhain.de> wrote:Convenience! I want the email sent whether the
member
is added via the web interface, directly in the
database, from the command line, etc. I don't seeany
Well, I also do such things with a small script
which
basically LISTENs to notify from database, spools
the
mails and go sleep again.Could you elaborate how you do this? IIRC, there's an
example in the docs using C, but I'd prefer using a
scripting language.
Yes, I'm using a scripting language too:
#!/usr/bin/python
import smtplib, select
from pyPgSQL import PgSQL
db=PgSQL.connect(host=..,user=..,password=..,database=..)
cur=db.cursor()
cur.execute("LISTEN table_where_you_notify")
db.commit()
while True:
rlist,wlist,xlist=select.select([db.conn.socket],[],[],600)
if db.conn.socket in rlist:
db.conn.consumeInput()
notifies=db.conn.notifies()
if notifies:
print "Backend with pid %s used notify" % n.be_pid
... here do something interesting, like selecting
from the spool table and format your mails...
db.commit()
--
Tino Wildenhain <tino@wildenhain.de>
CSN wrote:
Convenience! I want the email sent whether the member
is added via the web interface, directly in the
database, from the command line, etc. I don't see any
downside. It's only one user that'll be using this
function.
Well, there are three issues with doing complex things like sending mail
from your backend.
The first is security. Personally, I think that this is a concern that
can be mitigated if there are only a few people who can create untrusted
language functions in an organization and if there is code review of
them by others before they are added.
The second is not so easily mitigated. This is latency. If you are
inserting a large number of users at once, then the trigger will fire
when the new member is added and you will need to wait for it. For
performance reasons, it is often a good idea to separate this from the
backend so that inserts can return quickly.
The third though is the biggie--- transactional control. Lets say I
have a trigger that sends the email. Lets say the transaction aborts.
The user still gets the email even though they were never added to the
system. So lets say you try to deal with this by deferring the trigger
until the transaction completes. It is still possible that (perhaps at
some later date) another trigger will be deferred which will run after
this one. The result is fantom emails.
Personally, I would not mind using email-from-db functions under limited
circumstances. Some sort of security-related trigger might be used when
something happens worth notifying the database admins immediately under
certain circumstances (NEW USER CREATED. Login: ....).
I am not going to say "never do it" but I think that in most cases,
NOTIFY is more flexible and will perform better. Here you can use a
trigger to insert into a message queue and use NOTIFY to let a listening
process know that some action needs to be taken.
Best Wishes,
Chris Travers
Metatron Technology Consulting