Re: Updates of SE-PostgreSQL 8.4devel patches (r1704)

Ron Mayer <rm_pg@cheapcomplexdevices.com> writes:
> As far as I can tell, the community feels interested in the
> feature set; but relatively unable to contribute since none
> of the people have that much of a security background.  It
> seems the best way to fix that would be to get more people
> with a security background more involved.

It's experience with the Postgres code base that I'm worried about.
I don't question KaiGai-san's security background; I do doubt that
he knows where all the skeletons are buried in the PG backend.
A couple of very recent examples of that: his patch to fix a problem
with inheritance of column privileges was approximately the right thing,
but inefficiently duplicated the functionality of nearby code:
http://archives.postgresql.org/pgsql-hackers/2009-03/msg00196.php
and it didn't take Heikki long at all to note an oversight in the part
of the latest sepostgres patch that attempted to confine superusers'
file read/write abilities:
http://archives.postgresql.org/pgsql-hackers/2009-03/msg00446.php

More generally, there's been no discussion or community buy-in on
design questions such as whether the patch should even try to confine
superusers on such a fine-grained basis.  (I agree with Heikki's
thought that this may be a lost cause given our historical design
assumption that superusers can do anything.)

So I remain strongly of the opinion that what this patch lacks is
review from longtime PG hackers.  It's not the security community
that is missing from the equation.
        regards, tom lane