| From: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
|---|---|
| To: | Joel Jacobson <joel(at)compiler(dot)org> |
| Cc: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Possibility to disable `ALTER SYSTEM` |
| Date: | 2024-02-07 13:34:06 |
| Message-ID: | CAKFQuwbih7t2xG7+_b_mNUYV=XZ4HJYXmSghFKy7JaJa9qz9yQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wednesday, February 7, 2024, Joel Jacobson <joel(at)compiler(dot)org> wrote:
>
> On Fri, Sep 8, 2023, at 23:43, Magnus Hagander wrote:
> > We need a "allowlist" of things a user can do, rather than a blocklist
> > of "they can do everything they can possibly think of and a computer
> > is capable of doing, except for this one specific thing". Blocklisting
> > individual permissions of a superuser will never be secure.
>
> +1 for preferring an "allowlist" approach over a blocklist.
>
The status quo is allow everything so while the theory is nice it seems
that requiring it to be allowlist is just going to scare anyone off of
actually improving matters.
Also, this isn’t necessarily about blocking the superuser, it is about
effectively disabling features deemed undesirable at runtime. All features
enabled by default seems like a valid policy.
While the only features likely to be disabled are those involving someone’s
definition of security the security policy is still that superuser can do
everything the system is capable of doing.
David J.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jelte Fennema-Nio | 2024-02-07 13:49:01 | Re: Possibility to disable `ALTER SYSTEM` |
| Previous Message | Jelte Fennema-Nio | 2024-02-07 13:31:28 | Re: Possibility to disable `ALTER SYSTEM` |