Обсуждение: pageinspect some function no need superuser priv

hi.

just came to my mind.

If you're the table owner, you should be allowed to use get_raw_page (and other
pageinspect module functions)?
We can use RangeVarGetRelidExtended with
RangeVarCallbackOwnsRelation to perform the ownership check.

Attached is a draft POC.
Am I missing anything obvious?

Kirill Reshke <reshkekirill@gmail.com> writes:
> On Tue, 14 Oct 2025, 18:27 jian he, <jian.universality@gmail.com> wrote:
>> If you're the table owner, you should be allowed to use get_raw_page (and
>> other pageinspect module functions)?

> I was also wondering if there is any security vulnerability with that.
> I was thinking about page lsn, checkpoint and wal compression as a possible
> way to abuse, but did not managed to came up with exploit

Yeah, I do not think it follows that being table owner should
entitle you to such low-level access.  I'm inclined to reject
this proposal.

            regards, tom lane

On Tue, Oct 14, 2025 at 10:29:39AM -0400, Tom Lane wrote:
> Yeah, I do not think it follows that being table owner should
> entitle you to such low-level access.  I'm inclined to reject
> this proposal.

-1 here, too.  IMHO all of pageinspect should remain superuser-only since
it is meant for development/debugging.  The proposal doesn't describe a
use-case for the relaxed privileges, either.

-- 
nathan

On Tue, Oct 14, 2025 at 10:51:51AM -0500, Nathan Bossart wrote:
> On Tue, Oct 14, 2025 at 10:29:39AM -0400, Tom Lane wrote:
>> Yeah, I do not think it follows that being table owner should
>> entitle you to such low-level access.  I'm inclined to reject
>> this proposal.
>
> -1 here, too.  IMHO all of pageinspect should remain superuser-only since
> it is meant for development/debugging.  The proposal doesn't describe a
> use-case for the relaxed privileges, either.

Same.  We've always wanted this module to be superuser-only, with
superuser hardcoded checks and not even execution ACLs.
--
Michael