Saturday, August 2, 2008

Re: [HACKERS] Re: [Pljava-dev] Should creating a new base type require superuser status?

Tom Lane wrote:
>
>> This is a non-issue in PL/Java. An integer parameter is never passed by
>> reference and there's no way the PL/Java user can get direct access to
>> backend memory.
>>
>
> So what exactly does happen when the user deliberately specifies wrong
> typlen/typbyval/typalign info when creating a type based on PL/Java
> functions?
>
>
Everything is converted into instances of Java classes such as String,
byte[], etc.

>> I think that assumption is without ground. Java doesn't permit you to
>> access memory unless you use Java classes (java.nio stuff) that is
>> explicitly designed to do that and you need native code to set such
>> things up. A PL/Java user can not do that unless he is able to link in
>> other shared objects or dll's to the backend process.
>>
>
> PL/Java itself must be doing "unsafe" things in order to interface with
> PG at all. So what your argument really is is that you have managed to
> securely sandbox the user-written code you are calling. That might or
> might not be true, but I don't think that worrying about it is without
> foundation.
>
>
I would be presumptuous to claim that I provide the sandbox. All PL/Java
does is to provide the type mapping. The sandbox as such is implicit in
Java, much in the same way that it does it for web-browsers etc.

Regardless of that, I think there's some difference in expressing a
worry that might or might not have a foundation versus claiming that
there indeed must be a security hole a mile wide ;-)

- thomas


--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

No comments: