Skip site navigation (1) Skip section navigation (2)

[PATCH] [v8.5] Security checks on largeobjects

From: KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>
To: pgsql-hackers(at)postgresql(dot)org
Subject: [PATCH] [v8.5] Security checks on largeobjects
Date: 2009-06-26 04:08:37
Message-ID: 4A4449C5.6070400@ak.jp.nec.com (view raw or flat)
Thread:
Lists: pgsql-hackers
This patch adds support DAC security checks on largeobjects.

Enhanced GRANT/REVOKE statement allows to set SELECT (read) and
UPDATE (write) permission on individual largeobjects.

At the creation time, it checks ACL_CREATE on the schema object.
Currently, a largeobject does not have any human readable name and
qualified namespace, we assume "public" namespace here.

At the deletion time, it checks ownership of the largeobject.
Only resource owner and superuser can drop largeobjects.

The ownership and schema can be set using:
  ALTER LARGE OBJECT <lobj> OWNER TO <role>;
  ALTER LARGE OBJECT <lobj> SET SCHEMA <schema>;

The current pg_largeobject system catalog cannot store metadata
of the largeobejcts, its data structure is modified.

  CATALOG(pg_largeobject,2613)
  {
      Oid       lonsp;      /* OID of the namespace */
      Oid       loowner;    /* OID of the owner */
      aclitem   loacl[1];   /* access permissions */
  } FormData_pg_largeobject;

The current pg_largeobejct is renamed to pg_largeobject_data.
One or multiple tuples within pg_largeobject_data points to
a record within pg_largeobject which has a metadata of a
certain largeobject.

  CATALOG(pg_largeobject_data,2966) BKI_WITHOUT_OIDS
  {
      Oid       loid;       /* Identifier of large object */
      int4      pageno;     /* Page number (starting from 0) */
      bytea     data;       /* Data for page (may be zero-length) */
  } FormData_pg_largeobject_data;

Issues:
 * Is ALTER LARGE OBJECT interface suitable?
 * How we should consider the namespace (schema) and the ownership
   of the largeobejct?
 * Is the named large object (including fully qualified one) worth?
   It will enables us to specify a largeobject with human readable
   identifier string.
 * Is the data structure appropriate?
   - As an aside, the pg_largeobject_data has an identical definition
     with TOAST tables. It may be possible to store them within TOAST
     table.
 * If so, it may also resolve other Todo item.
   - Allow read/write into TOAST values like large objects

Memo:
  http://wiki.postgresql.org/wiki/Largeobject_Enhancement

Example:
  postgres=# REVOKE ALL ON LARGE OBJECT 1234 FROM PUBLIC;
  REVOKE
  postgres=# GRANT SELECT ON LARGE OBJECT 1234 TO ymj;
  GRANT
  postgres=# GRANT SELECT,UPDATE ON LARGE OBJECT 1234 TO tak;
  GRANT

  postgres=# \c - ymj
  psql (8.4rc2)
  You are now connected to database "postgres" as user "ymj".
  postgres=> SELECT loread(lo_open(1234, x'40000'::int), 10);
     loread
  ------------
   1234567890
  (1 row)

  postgres=> SELECT lowrite(lo_open(1234, x'20000'::int), 'abcdefg');
  ERROR:  permission denied for largeobject largeobject:1234

  postgres=> \c - tak
  psql (8.4rc2)
  You are now connected to database "postgres" as user "tak".
  postgres=> SELECT lowrite(lo_open(1234, x'20000'::int), 'abcdefg');
   lowrite
  ---------
         7
  (1 row)


Scale of the patch:
  [kaigai(at)saba ]$ diffstat pgsql-lobj-perms-8.4rc2-r2080.patch
   backend/catalog/Makefile               |    6
   backend/catalog/aclchk.c               |  243 ++++++++++++++++++++++++++++++
   backend/catalog/dependency.c           |   15 +
   backend/catalog/pg_largeobject.c       |  265 ++++++++++++!!!!!!!!!!!!!!!!!!!!
   backend/commands/alter.c               |    9 +
   backend/libpq/be-fsstubs.c             |   25 +++
   backend/parser/gram.y                  |   28 +++
   backend/storage/large_object/inv_api.c |  140 +++------!!!!!!
   backend/tcop/utility.c                 |    6
   backend/utils/adt/acl.c                |    4
   backend/utils/cache/syscache.c         |   13 +
   include/catalog/dependency.h           |    1
   include/catalog/indexing.h             |    7
   include/catalog/pg_largeobject.h       |   21 !!
   include/catalog/pg_largeobject_data.h  |   54 ++++++
   include/catalog/toasting.h             |    1
   include/nodes/parsenodes.h             |    1
   include/utils/acl.h                    |    7
   include/utils/syscache.h               |    1
   test/regress/expected/sanity_check.out |    3
   test/regress/input/largeobject.source  |   95 +++++++++++
   test/regress/output/largeobject.source |  175 +++++++++++++++++++++
   22 files changed, 803 insertions(+), 46 deletions(-), 271 modifications(!)

-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>

Attachment: pgsql-lobj-perms-8.4rc2-r2080.patch.gz
Description: application/gzip (14.1 KB)

Responses

pgsql-hackers by date

Next:From: Dimitri FontaineDate: 2009-06-26 07:16:29
Subject: Re: [PATCH] backend: compare word-at-a-time in bcTruelen
Previous:From: Jeremy KerrDate: 2009-06-26 03:20:39
Subject: Re: [PATCH] backend: compare word-at-a-time in bcTruelen

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group