Postgresql 中文操作指南
22.6. Function Security #
函数、触发器和行级安全策略允许用户将代码插入后端服务器,而其他用户可能会无意中执行。因此,这些机制允许用户相对轻松地向他人“植入特洛伊木马”。最强大的保护措施是对能定义对象的人进行严格控制。在该方法不可行的情况下,请以受信任的所有者拥有的对象为目标写入查询。从 search_path 中删除允许不受信任用户创建对象的任何架构。
Functions, triggers and row-level security policies allow users to insert code into the backend server that other users might execute unintentionally. Hence, these mechanisms permit users to “Trojan horse” others with relative ease. The strongest protection is tight control over who can define objects. Where that is infeasible, write queries referring only to objects having trusted owners. Remove from search_path any schemas that permit untrusted users to create objects.
函数在具有数据库服务器守护程序的操作系统权限的后端服务器进程内部运行。如果所使用的函数编程语言允许未检查的内存访问,则可以更改服务器的内部数据结构。因此,此类函数在诸多其他事情中可以绕过任何系统访问控制。允许此类访问的函数语言被视为“不受信任的”,并且 PostgreSQL 仅允许超级用户创建以这些语言编写的函数。
Functions run inside the backend server process with the operating system permissions of the database server daemon. If the programming language used for the function allows unchecked memory accesses, it is possible to change the server’s internal data structures. Hence, among many other things, such functions can circumvent any system access controls. Function languages that allow such access are considered “untrusted”, and PostgreSQL allows only superusers to create functions written in those languages.