| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Simon Riggs <simon(at)2ndquadrant(dot)com> |
| Cc: | Vik Fearing <vik(dot)fearing(at)2ndquadrant(dot)com>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Andrew Gierth <andrew(at)tao11(dot)riddles(dot)org(dot)uk>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, Robert Haas <robertmhaas(at)gmail(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net> |
| Subject: | Re: Recognizing superuser in pg_hba.conf |
| Date: | 2020-01-09 15:06:06 |
| Message-ID: | 5526.1578582366@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Simon Riggs <simon(at)2ndquadrant(dot)com> writes:
> On Wed, 8 Jan 2020 at 23:55, Vik Fearing <vik(dot)fearing(at)2ndquadrant(dot)com>
> wrote:
>> What is being proposed is what is in the Subject and the original
>> patch. The other patch is because Tom didn't like "the continuing creep
>> of pseudo-reserved database and user names" so I wrote a patch to mark
>> such reserved names and rebased my original patch on top of it. Only
>> the docs changed in the rebase. The original patch (or its rebase) is
>> what I am interested in.
> Hopefully there will be no danger of me gaining access if I have a crafted
> rolename?
> postgres=# create role "&backdoor";
> CREATE ROLE
Well, the existence of such a role name wouldn't by itself cause any
change in the way that pg_hba.conf is parsed. If you could then
persuade a superuser to insert a pg_hba.conf line that is trying
to match your username, the line might do something else than what the
superuser expected, which is bad. But the *exact* same hazard applies
to proposals based on inventing pseudo-reserved keywords (by which
I mean things that look like names, but aren't reserved words, so that
somebody could create a role name matching them). Either way, an
uninformed superuser could be tricked.
What I'm basically objecting to is the pseudo-reservedness. If we
don't want to dodge that with special syntax, we should dodge it
by making sure the keywords are actually reserved names. In other
words, add a "pg_" prefix, as somebody else suggested upthread.
I don't personally find that prettier than a punctuation prefix,
but I can live with it if other people do.
BTW, although that solution works for the immediate need of
keywords that have to be distinguished from role names, it doesn't
currently scale to keywords for the database column, because we
don't treat "pg_" as a reserved prefix for database names:
regression=# create role pg_zit;
ERROR: role name "pg_zit" is reserved
DETAIL: Role names starting with "pg_" are reserved.
regression=# create database pg_zit;
CREATE DATABASE
Should we do so, or wait till there's an immediate need to?
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Konstantin Knizhnik | 2020-01-09 15:07:46 | Re: [Proposal] Global temporary tables |
| Previous Message | Christoph Berg | 2020-01-09 14:59:00 | Re: pgsql: Add basic TAP tests for psql's tab-completion logic. |