Re: Recognizing superuser in pg_hba.conf

From: David Fetter <david(at)fetter(dot)org>
To: Vik Fearing <vik(dot)fearing(at)2ndquadrant(dot)com>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Robert Haas <robertmhaas(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, Andrew Gierth <andrew(at)tao11(dot)riddles(dot)org(dot)uk>
Subject: Re: Recognizing superuser in pg_hba.conf
Date: 2019-12-30 19:27:12
Message-ID: 20191230192711.GP32763@fetter.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Mon, Dec 30, 2019 at 11:56:17AM +0100, Vik Fearing wrote:
> On 29/12/2019 23:10, Vik Fearing wrote:
> > On 29/12/2019 17:31, Tom Lane wrote:
> >> Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> >>> On Sat, Dec 28, 2019 at 2:02 PM Vik Fearing <vik(dot)fearing(at)2ndquadrant(dot)com> wrote:
> >>>> I'm all for this (and even suggested it during the IRC conversation that
> >>>> prompted this patch). It's rife with bikeshedding, though. My original
> >>>> proposal was to use '&' and Andrew Gierth would have used ':'.
> >>> I think this is a good proposal regardless of which character we
> >>> decide to use. My order of preference from highest-to-lowest would
> >>> probably be :*&, but maybe that's just because I'm reading this on
> >>> Sunday rather than on Tuesday.
> >> I don't have any particular objection to '&' if people prefer that.
> >
> > I wrote the patch so I got to decide. :-)  I will also volunteer to do
> > the grunt work of changing the symbol if consensus wants that, though.
> >
> >
> > It turns out that my original patch didn't really change, all the meat
> > is in the keywords patch.  The superuser patch is to be applied on top
> > of the keywords patch.
> >
>
> I missed a few places in the tap tests.  New keywords patch attached,
> superuser patch unchanged.
>
> --
>
> Vik Fearing
>

Patches apply cleanly to 0ce38730ac72029f3f2c95ae80b44f5b9060cbcc, and
include documentation. They could use an example of the new
capability, possibly included in the sample pg_hba.conf, e.g.

host &all &superuser 0.0.0.0/0 reject

or similar.

The feature works as described, and is useful. I have thus far been
unable to make it crash.

I haven't used intentionally hostile strings to test it, as I didn't
see those as an important attack surface. This is because by the time
someone hostile can write to pg_hba.conf, they've got all the control
they need to manipulate the entire node, including root exploits.

I've marked this as Ready for Committer.

Best,
David.
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Pavel Stehule 2019-12-30 20:05:40 Re: proposal: schema variables
Previous Message Tom Lane 2019-12-30 19:18:17 Re: comment regarding double timestamps; and, infinite timestamps and NaN