From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Magnus Hagander <magnus(at)hagander(dot)net> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Josh Berkus <josh(at)agliodbs(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: db_user_namespace a "temporary measure" |
Date: | 2014-03-12 15:06:49 |
Message-ID: | 20140312150649.GS12995@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
* Magnus Hagander (magnus(at)hagander(dot)net) wrote:
> On Wed, Mar 12, 2014 at 3:52 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> > I share your doubts as to how useful such a concept actually is, but
> > it'd work if we had real local users.
>
>
> It can also do interesting things like ALTER SYSTEM, replication, backups,
> etc. All of which could be used to escalate privileges beyond the local
> database.
Probably DROP ROLE for global users too.
> So you'd have to somehow restrict those, at which point what's the point of
> the property in the first place?
We've been asked quite often for a not-quite-superuser, as in, one which
can bypass the normal GRANT-based permission system but which can't do
things like create untrusted functions or do other particularly bad
activities. I can certainly see value in that. Another oft-requested
option is a read-only role which pg_dump or an auditor could use.
Anyway, this is getting a bit far afield from the original discussion,
which looked like it might actually be heading somewhere interesting..
Thanks,
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2014-03-12 15:10:38 | Re: db_user_namespace a "temporary measure" |
Previous Message | Magnus Hagander | 2014-03-12 14:58:24 | Re: db_user_namespace a "temporary measure" |