On Mon, Jun 27, 2022 at 5:37 PM Hannu Krosing <hannuk@google.com> wrote:
> My current thinking is (based on more insights from Andres) that we
> should also have a startup flag to disable superuser altogether to
> avoid bypasses via direct manipulation of pg_proc.
>
> Experience shows that 99% of the time one can run PostgreSQL just fine
> without a superuser, so having a superuser available all the time is
> kind of like leaving a loaded gun on the kitchen table because you
> sometimes need to go hunting.
>
> I am especially waiting for Andres' feedback on viability this approach.
Well, I'm not Andres but I don't think not having a superuser at all
is in any way a viable approach. It's necessary to be able to
administer the database system, and the bootstrap superuser can't be
removed outright in any case because it owns a ton of objects.
There are basically two ways of trying to solve this problem. On the
one hand we could try to create a mode in which the privileges of the
superuser are restricted enough that the superuser can't break out to
the operating system. The list of things that would need to be blocked
is, I think, more extensive than any list you've give so far. The
other is to stick with the idea of an unrestricted superuser but come
up with ways of giving a controlled subset of the superuser's
privileges to a non-superuser. I believe this is the more promising
approach, and there have been multiple discussion threads about it in
the last six months.
--
Robert Haas
EDB: http://www.enterprisedb.com