-
Notifications
You must be signed in to change notification settings - Fork 80
Security
Only a PostgreSQL super user can install PL/Java. The PL/Java utility functions are installed as "security definer" so that they execute with the access permissions that were granted to the creator of the functions.
PL/Java can declare two language entries in SQL: java and javau.
Following the conventions of other PostgreSQL PLs, the 'untrusted' language
(javau) places no restrictions on what the Java code can do, while the
'trusted' language (java) installs a security manager that restricts access
to the filesystem. In PL/Java 1.5.x, a legacy version, those policies are
fixed.
In PL/Java 1.6.x, the policies for both java and javau are configurable,
and additional language "aliases" can be created and given policies of their
own, as described in the docs.
GRANT/REVOKE USAGE ON LANGUAGE java can be used to regulate which users
are able to create functions in the java language. For the javau language,
regardless of permissions, only superusers can create functions.
Important: for implications of running on Java 17 and later, please see JEP 411.
The install_jar, replace-jar, and remove_jar utility functions optionally execute commands found in a SQL deployment descriptor. Such commands are executed with the permissions of the caller. In other words, although the utility function is declared with "security definer", it switches back to the identity of the invoker during execution of the deployment descriptor commands.
The utility function set_classpath requires
that the caller of the function has been granted CREATE permission on the
affected schema, unless it is the public schema, in which case the caller
must be a superuser.