PG 18 docs from https://ftp.postgresql.org/pub/source/v18.0/postgresql-18.0-docs...

[ai-pg] / full-docs / src / sgml / html / plperl-trusted.html

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>43.5. Trusted and Untrusted PL/Perl</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="prev" href="plperl-global.html" title="43.4. Global Values in PL/Perl" /><link rel="next" href="plperl-triggers.html" title="43.6. PL/Perl Triggers" /></head><body id="docContent" class="container-fluid col-10"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">43.5. Trusted and Untrusted PL/Perl</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="plperl-global.html" title="43.4. Global Values in PL/Perl">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="plperl.html" title="Chapter 43. PL/Perl — Perl Procedural Language">Up</a></td><th width="60%" align="center">Chapter 43. PL/Perl — Perl Procedural Language</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 18.0 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="plperl-triggers.html" title="43.6. PL/Perl Triggers">Next</a></td></tr></table><hr /></div><div class="sect1" id="PLPERL-TRUSTED"><div class="titlepage"><div><div><h2 class="title" style="clear: both">43.5. Trusted and Untrusted PL/Perl <a href="#PLPERL-TRUSTED" class="id_link">#</a></h2></div></div></div><a id="id-1.8.10.13.2" class="indexterm"></a><p>
   Normally, PL/Perl is installed as a <span class="quote">“<span class="quote">trusted</span>”</span> programming
   language named <code class="literal">plperl</code>.  In this setup, certain Perl
   operations are disabled to preserve security.  In general, the
   operations that are restricted are those that interact with the
   environment. This includes file handle operations,
   <code class="literal">require</code>, and <code class="literal">use</code> (for
   external modules).  There is no way to access internals of the
   database server process or to gain OS-level access with the
   permissions of the server process,
   as a C function can do.  Thus, any unprivileged database user can
   be permitted to use this language.
  </p><div class="warning"><h3 class="title">Warning</h3><p>
    Trusted PL/Perl relies on the Perl <code class="literal">Opcode</code> module to
    preserve security.
    Perl
    <a class="ulink" href="https://perldoc.perl.org/Opcode#WARNING" target="_top">documents</a>
    that the module is not effective for the trusted PL/Perl use case.  If
    your security needs are incompatible with the uncertainty in that warning,
    consider executing <code class="literal">REVOKE USAGE ON LANGUAGE plperl FROM
    PUBLIC</code>.
   </p></div><p>
   Here is an example of a function that will not work because file
   system operations are not allowed for security reasons:
</p><pre class="programlisting">
CREATE FUNCTION badfunc() RETURNS integer AS $$
    my $tmpfile = "/tmp/badfile";
    open my $fh, '&gt;', $tmpfile
        or elog(ERROR, qq{could not open the file "$tmpfile": $!});
    print $fh "Testing writing to a file\n";
    close $fh or elog(ERROR, qq{could not close the file "$tmpfile": $!});
    return 1;
$$ LANGUAGE plperl;
</pre><p>
    The creation of this function will fail as its use of a forbidden
    operation will be caught by the validator.
  </p><p>
   Sometimes it is desirable to write Perl functions that are not
   restricted.  For example, one might want a Perl function that sends
   mail.  To handle these cases, PL/Perl can also be installed as an
   <span class="quote">“<span class="quote">untrusted</span>”</span> language (usually called
   <span class="application">PL/PerlU</span><a id="id-1.8.10.13.6.3" class="indexterm"></a>).
   In this case the full Perl language is available.  When installing the
   language, the language name <code class="literal">plperlu</code> will select
   the untrusted PL/Perl variant.
  </p><p>
   The writer of a <span class="application">PL/PerlU</span> function must take care that the function
   cannot be used to do anything unwanted, since it will be able to do
   anything that could be done by a user logged in as the database
   administrator.  Note that the database system allows only database
   superusers to create functions in untrusted languages.
  </p><p>
   If the above function was created by a superuser using the language
   <code class="literal">plperlu</code>, execution would succeed.
  </p><p>
   In the same way, anonymous code blocks written in Perl can use
   restricted operations if the language is specified as
   <code class="literal">plperlu</code> rather than <code class="literal">plperl</code>, but the caller
   must be a superuser.
  </p><div class="note"><h3 class="title">Note</h3><p>
    While <span class="application">PL/Perl</span> functions run in a separate Perl
    interpreter for each SQL role, all <span class="application">PL/PerlU</span> functions
    executed in a given session run in a single Perl interpreter (which is
    not any of the ones used for <span class="application">PL/Perl</span> functions).
    This allows <span class="application">PL/PerlU</span> functions to share data freely,
    but no communication can occur between <span class="application">PL/Perl</span> and
    <span class="application">PL/PerlU</span> functions.
   </p></div><div class="note"><h3 class="title">Note</h3><p>
    Perl cannot support multiple interpreters within one process unless
    it was built with the appropriate flags, namely either
    <code class="literal">usemultiplicity</code> or <code class="literal">useithreads</code>.
    (<code class="literal">usemultiplicity</code> is preferred unless you actually need
    to use threads.  For more details, see the
    <span class="citerefentry"><span class="refentrytitle">perlembed</span></span> man page.)
    If <span class="application">PL/Perl</span> is used with a copy of Perl that was not built
    this way, then it is only possible to have one Perl interpreter per
    session, and so any one session can only execute either
    <span class="application">PL/PerlU</span> functions, or <span class="application">PL/Perl</span> functions
    that are all called by the same SQL role.
   </p></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="plperl-global.html" title="43.4. Global Values in PL/Perl">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="plperl.html" title="Chapter 43. PL/Perl — Perl Procedural Language">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="plperl-triggers.html" title="43.6. PL/Perl Triggers">Next</a></td></tr><tr><td width="40%" align="left" valign="top">43.4. Global Values in PL/Perl </td><td width="20%" align="center"><a accesskey="h" href="index.html" title="PostgreSQL 18.0 Documentation">Home</a></td><td width="40%" align="right" valign="top"> 43.6. PL/Perl Triggers</td></tr></table></div></body></html>