| From: | Jeff Davis <pgsql(at)j-davis(dot)com> |
|---|---|
| To: | Dimitri Fontaine <dimitri(at)2ndQuadrant(dot)fr> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Peter Eisentraut <peter_e(at)gmx(dot)net>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Boszormenyi Zoltan <zb(at)cybertec(dot)at>, Thom Brown <thom(at)linux(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Extension Templates S03E11 |
| Date: | 2013-11-30 21:00:28 |
| Message-ID: | 1385845228.7500.267.camel@jdavis |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, 2013-11-27 at 18:34 +0100, Dimitri Fontaine wrote:
> The other main point that will change the current code is dealing with
> superusers and security concerns. Baring objections, I'm going to
> implement a variation of what I did propose in the thread:
>
> When a superuser CREATE EXTENSION against a template that has been
> provided by a non-privileged user, automatically SET ROLE to that user
> before doing so, avoiding escalation privileges.
That proposal is worded like a special case for superusers, and I don't
see why. If the security model is that an extension script is run with
as the template owner, then we should just do that universally. If not,
making a special case for superusers undermines the security of
powerful-but-not-superuser roles.
I haven't looked in detail at the security issues here... is this the
result of a consensus or are there still differing opinions?
> If that's not what the superuser intended, then it still is possible for
> him to ALTER TEMPLATE FOR EXTENSION … OWNER TO himself beforehand.
Doesn't sound like a clean workaround.
We already have a model for executing functions, and those are black
boxes of code as well. If we deviate too much from that, I think we're
inviting problems.
Heikki expressed some concerns here:
http://www.postgresql.org/message-id/5152FF3D.4000401@vmware.com
followed by Robert. The concerns seem mostly about the namespace,
because it's hard to be sure that "CREATE EXTENSION foo" installs the
"foo" you expect. Those are very valid practical concerns; but I agree
with Dimitri that this is not a fundamental problem, and we might find a
compromise here that can work.
One idea: if a non-superuser role creates an extension template, then it
is only visible to that exact same role.
The first version might only allow superusers to create extension
templates, but it would be nice to have a plan for non-superusers soon.
Aside: why do file-based templates shadow catalog-based templates?
Shouldn't we just throw an error if both are available at CREATE
EXTENSION time?
Also, I notice that the extension templates are not in shared catalogs;
was that discussed?
(Some of these issues seem underdocumented, as well.)
Regards,
Jeff Davis
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2013-11-30 21:07:11 | Re: Re: [BUGS] BUG #7873: pg_restore --clean tries to drop tables that don't exist |
| Previous Message | Kevin Grittner | 2013-11-30 20:07:11 | Re: [GENERAL] pg_upgrade ?deficiency |