| From: | Tomas Vondra <tv(at)fuzzy(dot)cz> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: system administration functions with hardcoded superuser checks |
| Date: | 2012-12-19 21:02:11 |
| Message-ID: | 50D22B53.2070907@fuzzy.cz |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 19.12.2012 07:34, Magnus Hagander wrote:
> On Wed, Dec 19, 2012 at 1:58 AM, Tomas Vondra <tv(at)fuzzy(dot)cz> wrote:
>> On 18.12.2012 18:38, Pavel Stehule wrote:
>>> 2012/12/18 Peter Eisentraut <peter_e(at)gmx(dot)net>:
>>>> There are some system administration functions that have hardcoded
>>>> superuser checks, specifically:
>>>>
>>>> pg_reload_conf
>>>> pg_rotate_logfile
>>>>
>>>> Some of these are useful in monitoring or maintenance tools, and the
>>>> hardcoded superuser checks require that these tools run with maximum
>>>> privileges. Couldn't we just install these functions without default
>>>> privileges and allow users to grant privileges as necessary?
>>>
>>> isn't it too strong gun for some people ???
>>>
>>> I believe so some one can decrease necessary rights and it opens doors
>>> to system.
>>
>> No one was speaking about making them executable by a wider group of
>> users by default (i.e. decreasing necessary rights). Today, when you
>> need to provide the EXECUTE privilege on those functions, you have three
>> options
>
> Given how limited these functions are in scope, I don't see a problem here.
>
>>>> pg_read_file
>>>> pg_read_file_all
>>>> pg_read_binary_file
>>>> pg_read_binary_file_all
>>>> pg_stat_file
>>>> pg_ls_dir
>>>
>>> is relative dangerous and I am not for opening these functions.
>>>
>>> power user can simply to write extension, but he knows what he does/
>>
>> I see only dangers that are already present.
>
> Granting executability on pg_read_xyz is pretty darn close to granting
> superuser, without explicitly asking for it. Well, you get "read only
> superuser". If we want to make that step as easy as just GRANT, we
> really need to write some *very* strong warnings in the documentation
> so that people realize this. I doubt most people will realize it
> unless we do that (and those who don't read the docs, whch is probably
> a majority, never will).
Yup, that's what I meant by possibility to perform "additional parameter
values checks" ;-)
Tomas
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kevin Grittner | 2012-12-19 21:06:12 | Re: Review of Row Level Security |
| Previous Message | Tomas Vondra | 2012-12-19 21:00:13 | Re: too much pgbench init output |