untrusted PLs should be GRANTable

Поиск
Список
Период
Сортировка
От Craig Ringer
Тема untrusted PLs should be GRANTable
Дата
Msg-id CAMsr+YGXjdQs2cG0R-a59C-HW3aAdcqOHdC1SR7SHVh+2J6cxA@mail.gmail.com
обсуждение исходный текст
Ответы Re: untrusted PLs should be GRANTable  (Peter Eisentraut <peter.eisentraut@2ndquadrant.com>)
Re: untrusted PLs should be GRANTable  (Robert Haas <robertmhaas@gmail.com>)
Re: untrusted PLs should be GRANTable  (Stephen Frost <sfrost@snowman.net>)
Список pgsql-hackers
Дерево обсуждения
Hi all

A user has raised the point that our refusal to GRANT rights to untrusted PLs is counterproductive and inconsistent with how we behave elsewhere.

Yes, untrusted PLs can be escaped to gain superuser rights, often trivially.

But we allow this:

CREATE ROLE superme SUPERUSER NOINHERIT;
GRANT superme TO me;

.... and really, GRANTing an untrusted PL is similar.

Forcing users to create their PLs as a superuser increases the routine use of superuser accounts. Most users' DDL deploy scripts will get be run as a superuser if they have to use a superuser for PL changes; they're not going to SET ROLE and RESET ROLE around the function changes.

It also encourages users to make their untrusted functions SECURITY DEFINER when still owned by a superuser, which we really don't want them doing unnecessarily.

In the name of making things more secure, we've made them less secure.

Untrusted PLs should be GRANTable with a NOTICE or WARNING telling the admin that GRANTing an untrusted PL effectively gives the user the ability to escape to superuser.

--
 Craig Ringer                   http://www.2ndQuadrant.com/
 PostgreSQL Development, 24x7 Support, Training & Services

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Amit Langote
Дата:
Сообщение: Re: pgsql: Allow UNIQUE indexes on partitioned tables
Следующее
От: "Kato, Sho"
Дата:
Сообщение: RE: How to make partitioning scale better for larger numbers ofpartitions