| From: | Craig Ringer <craig(at)2ndquadrant(dot)com> |
|---|---|
| To: | PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | untrusted PLs should be GRANTable |
| Date: | 2018-07-17 05:20:29 |
| Message-ID: | CAMsr+YGXjdQs2cG0R-a59C-HW3aAdcqOHdC1SR7SHVh+2J6cxA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi all
A user has raised the point that our refusal to GRANT rights to untrusted
PLs is counterproductive and inconsistent with how we behave elsewhere.
Yes, untrusted PLs can be escaped to gain superuser rights, often trivially.
But we allow this:
CREATE ROLE superme SUPERUSER NOINHERIT;
GRANT superme TO me;
.... and really, GRANTing an untrusted PL is similar.
Forcing users to create their PLs as a superuser increases the routine use
of superuser accounts. Most users' DDL deploy scripts will get be run as a
superuser if they have to use a superuser for PL changes; they're not going
to SET ROLE and RESET ROLE around the function changes.
It also encourages users to make their untrusted functions SECURITY DEFINER
when still owned by a superuser, which we really don't want them doing
unnecessarily.
In the name of making things more secure, we've made them less secure.
Untrusted PLs should be GRANTable with a NOTICE or WARNING telling the
admin that GRANTing an untrusted PL effectively gives the user the ability
to escape to superuser.
--
Craig Ringer http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kato, Sho | 2018-07-17 05:44:41 | RE: How to make partitioning scale better for larger numbers of partitions |
| Previous Message | Amit Langote | 2018-07-17 04:59:35 | Re: pgsql: Allow UNIQUE indexes on partitioned tables |