From: | Hannu Krosing <hannuk(at)google(dot)com> |
---|---|
To: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> |
Cc: | Andres Freund <andres(at)anarazel(dot)de>, Jeff Davis <pgsql(at)j-davis(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>, Robert Pang <robertpang(at)google(dot)com> |
Subject: | Re: Hardening PostgreSQL via (optional) ban on local file system access |
Date: | 2022-06-29 07:45:59 |
Message-ID: | CAMT0RQS2ykYt+fwaaDH3+aAAOs7Po9EhY1ixT7pmkfuGVkRTJQ@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
The idea is to allow superuser, but only in case you *already* have
access to the file system.
You could think of it as a two factor authentication for using superuser.
So in the simplest implementation it would be
touch $PGDATA/allow_superuser
psql
hannuk=# CREATE EXTENSION ...
rm $PGDATA/allow_superuser
and in more sophisticated implementation it could be
terminal 1:
psql
hannuk=# select pg_backend_pid();
pg_backend_pid
----------------
1749025
(1 row)
terminal 2:
echo 1749025 > $PGDATA/allow_superuser
back to terminal 1 still connected to backend with pid 1749025:
$ CREATE EXTENSION ...
.. and then clean up the sentinel file after, or just make it valid
for N minutes from creation
Cheers,
Hannu Krosing
On Wed, Jun 29, 2022 at 8:51 AM Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> wrote:
>
> On Tue, 2022-06-28 at 16:27 -0700, Andres Freund wrote:
> > > Experience shows that 99% of the time one can run PostgreSQL just fine
> > > without a superuser
> >
> > IME that's not at all true. It might not be needed interactively, but that's
> > not all the same as not being needed at all.
>
> I also disagree with that. Not having a superuser is one of the pain
> points with using a hosted database: no untrusted procedural languages,
> no untrusted extensions (unless someone hacked up PostgreSQL or provided
> a workaround akin to a SECURITY DEFINER function), etc.
>
> Yours,
> Laurenz Albe
From | Date | Subject | |
---|---|---|---|
Next Message | Alexander Pyhalov | 2022-06-29 08:01:37 | Re: CREATE INDEX CONCURRENTLY on partitioned index |
Previous Message | Andres Freund | 2022-06-29 07:05:34 | Re: Hardening PostgreSQL via (optional) ban on local file system access |