> On Dec 14, 2021, at 2:26 PM, Joshua Brindle <joshua.brindle@crunchydata.com> wrote:
>
> currently there is a failure in check-world (not sure if it's known):
That one is definitely my fault. 'en_US.UTF-8' exists on my platform, so I hadn't noticed. I've changed it to use
'C',which should be portable.
> One thing that seems like an omission to me is the absence of a
> InvokeObjectPostAlterHook in pg_setting_acl_aclcheck or
> pg_setting_acl_aclmask so that MAC extensions can also block this,
> InvokeObjectPostCreateHook is already in the create path so a
> PostAlter hook seems appropriate.
Good catch, but that seems like a strange place to put a PostAlterHook, so I added it to ExecGrant_Setting for v6,
instead. This seems more consistent with the hook in SetDefaultACL.
(If you are really trying to do Managed Access Control (MAC), wouldn't that be a separate patch which adds security
hooksinto all *_aclcheck functions?)
—
Mark Dilger
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company