From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Floris Van Nee <florisvannee(at)optiver(dot)com>, Kirill Reshke <reshke(at)double(dot)cloud>, "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
Subject: | Re: pg_init_privs corruption. |
Date: | 2023-02-20 15:15:23 |
Message-ID: | Y/OOixnDlj3UxSxj@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Greetings,
* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Floris Van Nee <florisvannee(at)Optiver(dot)com> writes:
> > This is as far as I can see the same case as what I reported a few years ago here: https://www.postgresql.org/message-id/flat/1574068566573.13088%40Optiver.com#488bd647ce6f5d2c92764673a7c58289
> > There was a discussion with some options, but no fix back then.
>
> Hmm, so Stephen was opining that the extension's objects shouldn't
> have gotten these privs attached in the first place. I'm not
> quite convinced about that one way or the other, but if you buy it
> then maybe this situation is unreachable once we fix that. I'm
> not sure though. It's still clear that we are making ACL entries
> that aren't reflected in pg_shdepend, and that seems bad.
Would be great to get some other thoughts on this then, perhaps, as it's
clearly not good as-is either.
I mentioned in that other thread that recording the dependency should be
done but that it's an independent issue and I do still generally feel
that way, so I guess we're all mostly in agreement that the dependency
should get recorded and perhaps we can just go do that.
I don't see any cases of it currently, but I do still worry, as I also
mentioned in the prior thread, that by allowing DEFAULT PRIVILEGES to
impact extension objects that we could end up with a security issue.
Specifically, if a user sets up their schema like:
ALTER DEFAULT PRIVILEGES ... GRANT EXECUTE ON FUNCTIONS TO me;
and then creates an extension which is marked as 'trusted':
CREATE EXTENSION abc;
where that extension manages function access through the GRANT system
(as many do, eg: pg_stat_statements which does:
REVOKE ALL ON FUNCTION pg_stat_statements_reset() FROM PUBLIC;
)
That the user then will have EXECUTE rights on that function which they
really shouldn't have.
Thanks,
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | David G. Johnston | 2023-02-20 15:17:02 | Re: Improving inferred query column names |
Previous Message | Peter Eisentraut | 2023-02-20 15:08:00 | Re: Improving inferred query column names |