Re: [GENERAL] BUG #1830: Non-super-user must be able to copy from a

On Fri, Aug 19, 2005 at 09:15:52AM -0400, Stephen Frost wrote:
> Personally, I do like the idea of a user-level 'copy server-side files'
> permission that could be granted to reduce the need for things to run as
> superuser.

There is one important point though: The server copying things is
seriously restricted. No matter how much authentication you do, the
server cannot *become* you. Hence it cannot access your files unless
they are world readable.

For similar reasons, it cannot prevent the user from accessing the
postgresql system files since it *is* the postgresql user and that
cannot be changed. The UNIX way around this would be for the client to
open the file with its permissions and then pass the FD to the server.
But that's a rather interesting twist that only works on local sockets.

> I'd probably still set up a SECURITY DEFINER function to a
> user with those permissions as an additional layer of security but it'd
> be nice to not have to run the function as superuser.

Superuser is still limited by the system uid, that can't be changed.

> It is, of course, good to note that current Postgres 'md5' auth method
> usage means that a compromise of pg_shadow (pg_authid) gives the
> attacker superuser access immediately (the hash itself is the actual
> authentication token, the password isn't actually interesting in that
> case).

It's a compromise solution. Normal authentication (aka shadow file):
server has only hash but password is in clear over the wire. MD5 auth:
server knows the password (or enough to spoof) but it's not in the
clear over the wire. Pick your poison...

For true security use public key auth (certificates / keys / etc).

Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.