| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | Craig Ringer <craig(at)2ndquadrant(dot)com> |
| Cc: | PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: untrusted PLs should be GRANTable |
| Date: | 2018-07-18 10:36:12 |
| Message-ID: | CA+TgmoadbBWqhuUd9tg5MJnN7bGP-VOB43z7jNJe_SiyPnhdrg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Jul 17, 2018 at 1:20 AM, Craig Ringer <craig(at)2ndquadrant(dot)com> wrote:
> Forcing users to create their PLs as a superuser increases the routine use
> of superuser accounts. Most users' DDL deploy scripts will get be run as a
> superuser if they have to use a superuser for PL changes; they're not going
> to SET ROLE and RESET ROLE around the function changes.
>
> It also encourages users to make their untrusted functions SECURITY DEFINER
> when still owned by a superuser, which we really don't want them doing
> unnecessarily.
>
> In the name of making things more secure, we've made them less secure.
>
> Untrusted PLs should be GRANTable with a NOTICE or WARNING telling the admin
> that GRANTing an untrusted PL effectively gives the user the ability to
> escape to superuser.
+1.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2018-07-18 10:42:10 | Re: [HACKERS] WAL logging problem in 9.4.3? |
| Previous Message | David Rowley | 2018-07-18 10:23:39 | Re: Speeding up INSERTs and UPDATEs to partitioned tables |