Re: [PATCH] Largeobject access controls

Robert Haas wrote:
> 2009/9/23 KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>:
>> Now, I'm revising the patch as follows:
>> - pg_largeobject_meta is renamed to pg_largeobject_metadata
>> - The GUC of largeobject_compat_dac is renamed to largeobject_compat_acl
>> - psql supports \dl to show owner of the largeobject
>> - add documentation for the GUC, and add it to the postgresql.conf.sample
>
> I still don't like the idea of having a GUC that turns off a
> substantial part of the security system.
>
> Am I the only one?

I also think you are right from the viewpoint of the security.
Smaller number of pitfall on configuration is basically better.

However, we already released v8.4.x or prior versions without ACL
checks on largeobjects, so it is necessary to pay attentions for
existing SQLs which expect no ACL checks on largeobject accesses.
The purpose of the GUC is to provide users compatible bahaviors on
largeobjects.

BTW, here is one idea. When the largeobject_compat_acl is turned on,
it allows to bypass ACL checks, but it generates warning message for
violated accesses. User can notice his SQL should be fixed at the
v8.5.x or later.
(It is similar to the permissive-mode in SELinux.)

Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>