Re: On login trigger: take three

pá 11. 12. 2020 v 17:05 odesílatel Konstantin Knizhnik <
k(dot)knizhnik(at)postgrespro(dot)ru> napsal:

>
>
> On 11.12.2020 18:40, Pavel Stehule wrote:
>
>
> is not correct. It makes it not possible to superuser to disable triggers
>> for all users.
>>
>
> pg_database_ownercheck returns true for superuser always.
>
>
> Sorry, but I consider different case: when normal user is connected to the
> database.
> In this case pg_database_ownercheck returns false and trigger is not
> disabled, isn't it?
>

My idea was to reduce necessary rights to database owners. But you have a
true, so only superuser can create event trigger, so this feature cannot be
used in DBaaS environments, and then my original idea was wrong.

>
> Also GUCs are not associated with any database. So I do not understand
>> why this check of database ownership is relevant at all?
>>
>> What kind of protection violation we want to prevent?
>>
>> It seems to be obvious that normal user should not be able to prevent
>> trigger execution because this triggers may be used to enforce some
>> security policies.
>> If trigger was created by user itself, then it can drop or disable it
>> using ALTER statement. GUC is not needed for it.
>>
>
> when you cannot connect to the database, then you cannot do ALTER. In
> DBaaS environments lot of users has not superuser rights.
>
>
>
> But only superusers can set login triggers, right?
> So only superuser can make a mistake in this trigger. But he have enough
> rights to recover this error. Normal users are not able to define on
> connection triggers and
> should not have rights to disable them.
>

yes, it is true

Pavel

> --
> Konstantin Knizhnik
> Postgres Professional: http://www.postgrespro.com
> The Russian Postgres Company
>
>