Search Postgresql Archives

Re: PCI:SSF - Safe SQL Query & operators filter

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




> On Nov 7, 2022, at 17:43, Jan Bilek <jan.bilek@xxxxxxxxxxxxx> wrote:
> 
> Well, superuser (our App) is already logged in and as it is designed 
> very much as an "appliance" it simply does that job - manages its 
> database.

Well... don't do that. :)  The problem is analogous to having root log into a Linux box and run application commands.  It works, but it opens a security hole, as you've discovered.

> Yes, agreed. Any ideas?

In this particular case (creating an untrusted PL and functions therein), you'll need to use a PostgreSQL superuser.  This is a separate operation from routine application use, though.  (I'll note that having functions in an untrusted PL in a PCI-sensitive system is not a great idea, as you'll need to audit them very closely to make sure that they can't do anything untoward outside the role system.)





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]

  Powered by Linux