| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | David Christensen <david(dot)christensen(at)crunchydata(dot)com> |
| Cc: | Daniel Gustafsson <daniel(at)yesql(dot)se>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: CREATE ROLE IF NOT EXISTS |
| Date: | 2021-11-03 22:18:00 |
| Message-ID: | 264986.1635977880@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
David Christensen <david(dot)christensen(at)crunchydata(dot)com> writes:
> Updated version attached.
I'm generally pretty down on IF NOT EXISTS semantics in all cases,
but it seems particularly dangerous for something as fundamental
to privilege checks as a role. It's not hard at all to conjure up
scenarios in which this permits privilege escalation. That is,
Alice wants to create role Bob and give it some privileges, but
she's lazy and writes a quick-and-dirty script using CREATE ROLE
IF NOT EXISTS. Meanwhile Charlie sneaks in and creates Bob first,
and then grants it to himself. Now Alice's script is giving away
all sorts of privilege to Charlie. (Admittedly, Charlie must have
CREATEROLE privilege already, but that doesn't mean he has every
privilege that Alice has --- especially not as we continue working
to slice the superuser salami ever more finely.)
Do we really need this?
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Justin Pryzby | 2021-11-03 22:39:13 | Re: should we enable log_checkpoints out of the box? |
| Previous Message | Peter Smith | 2021-11-03 22:09:17 | Re: row filtering for logical replication |