"David G. Johnston" <david.g.johnston@xxxxxxxxx> writes:
> On Thu, Oct 21, 2021 at 6:48 PM Wells Oliver <wells.oliver@xxxxxxxxx> wrote:
>> Is there anything out there written about what trusted means? The PG
>> community seems pretty trusting :)
> It basically means the programming language allows the author of the code
> to break out of the server and access the underlying operating system as
> the postgres user.
Right. If RDS won't give you superuser, they sure as heck won't
give you an untrusted PL, because that's an even shorter path to
getting access to the underlying system.
> I believe this is written in the docs - but I haven't
> searched recently.
The CREATE LANGUAGE man page defines the flag as
<literal>TRUSTED</literal> specifies that the language does
not grant access to data that the user would not otherwise
have.
That's a tighter definition than is of interest here --- for
example, a language that only gave you SQL access but let
you bypass SQL privilege checks would have to be not-trusted,
a conclusion I agree with. In practice though, external PL
systems know darn little about SQL. It's their ability to
access the underlying OS that makes them problematic.
regards, tom lane
