Re: let's disallow ALTER ROLE bootstrap_superuser NOSUPERUSER

On Thu, Jul 21, 2022 at 12:28 PM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> True, but what if the idea is to have *no* superusers? I seem
> to recall people being interested in setups like that.

Hmm, right. There's nothing that stops you from de-super-ing all of
your superusers today, and then if you ever need to do anything as
superuser again, you have to start up in single-user mode, which will
treat your session as super regardless. But considering how much power
the bootstrap user still has, I'm not sure that's really buying you
very much. In particular, the new GRANT ALTER SYSTEM stuff looks
sufficient to allow the bootstrap user to break out to the OS, so if
we want to regard no-superusers as a supported configuration, we
probably need to tighten that up. I think it's kind of hopeless,
though, because of the fact that you can also freely Trojan functions
and operators in pg_catalog. Maybe that's insufficient to break out to
the OS or assume superuser privileges, but you should be able to at
least Trojan every other user on the system.

> On the whole I don't have any objection to your proposal, I just
> worry that somebody else will.

OK, good to know. Thanks.

> Of course there's always "UPDATE pg_authid SET rolsuper = false",
> which makes it absolutely clear that you're breaking the glass cover.

Right.

--
Robert Haas
EDB: http://www.enterprisedb.com