| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | Noah Misch <noah(at)leadboat(dot)com> |
| Cc: | Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: system administration functions with hardcoded superuser checks |
| Date: | 2012-12-19 00:57:16 |
| Message-ID: | CA+Tgmob1AAkUp--yVBpwyxPDSTMCOyjE3-Lnx+V5nfhM7ovGtA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Dec 18, 2012 at 7:41 PM, Noah Misch <noah(at)leadboat(dot)com> wrote:
> On Tue, Dec 18, 2012 at 12:09:10PM -0500, Peter Eisentraut wrote:
>> There are some system administration functions that have hardcoded
>> superuser checks, specifically:
>>
>> pg_reload_conf
>> pg_rotate_logfile
>> pg_read_file
>> pg_read_file_all
>> pg_read_binary_file
>> pg_read_binary_file_all
>> pg_stat_file
>> pg_ls_dir
>>
>> Some of these are useful in monitoring or maintenance tools, and the
>> hardcoded superuser checks require that these tools run with maximum
>> privileges. Couldn't we just install these functions without default
>> privileges and allow users to grant privileges as necessary?
>
> +1. You can already use a SECURITY DEFINER wrapper, so I don't think this
> opens any particular floodgate. GRANT is a nicer interface. However, I would
> not advertise this as a replacement for wrapper functions until pg_dump can
> preserve ACL changes to pg_catalog objects.
Yeah. That is a bit of a foot-gun to this approach, although I too
agree on the general theory.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tomas Vondra | 2012-12-19 00:58:44 | Re: system administration functions with hardcoded superuser checks |
| Previous Message | Robert Haas | 2012-12-19 00:56:18 | Re: logical decoding - GetOldestXmin |