From: | Mark Dilger <mark(dot)dilger(at)enterprisedb(dot)com> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | David Christensen <david(dot)christensen(at)crunchydata(dot)com>, Daniel Gustafsson <daniel(at)yesql(dot)se>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: CREATE ROLE IF NOT EXISTS |
Date: | 2021-11-09 16:32:22 |
Message-ID: | D4E40F96-723C-4547-BE5C-AFAAFA365447@enterprisedb.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
> On Nov 9, 2021, at 8:22 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
>
> In terms of least-surprise, I do tend to think that the answer is "only
> care about what is explicitly put into the command"- that is, if it
> isn't in the CREATE ROLE statement then it gets left as-is. Not sure
> how others feel about that though.
bob: CREATE ROLE charlie;
bob: GRANT charlie TO david;
super_alice: CREATE OR REPLACE ROLE charlie SUPERUSER;
I think this is the sort of thing Tom and I are worried about. "david" is now a member of a superuser role, and it is far from clear that "super_alice" intended that. Even if "bob" is not malicious, having this happen by accident is pretty bad.
If we fix the existing bug that the pg_auth_members.grantor field can end up as a dangling reference, instead making sure that it is always accurate, then perhaps this would be ok if all roles granted into "charlie" had grantor="super_alice". I'm not sure that is really good enough, but it is a lot closer to making this safe than allowing the command to succeed when role "charlie" has been granted away by someone else.
—
Mark Dilger
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2021-11-09 16:50:10 | Re: CREATE ROLE IF NOT EXISTS |
Previous Message | Stephen Frost | 2021-11-09 16:29:38 | Re: Predefined role pg_maintenance for VACUUM, ANALYZE, CHECKPOINT. |