Re: untrusted PLs should be GRANTable
| От | Robert Haas |
|---|---|
| Тема | Re: untrusted PLs should be GRANTable |
| Дата | |
| Msg-id | CA+TgmoadbBWqhuUd9tg5MJnN7bGP-VOB43z7jNJe_SiyPnhdrg@mail.gmail.com обсуждение исходный текст |
| Ответ на | untrusted PLs should be GRANTable (Craig Ringer <craig@2ndquadrant.com>) |
| Список | pgsql-hackers |
On Tue, Jul 17, 2018 at 1:20 AM, Craig Ringer <craig@2ndquadrant.com> wrote: > Forcing users to create their PLs as a superuser increases the routine use > of superuser accounts. Most users' DDL deploy scripts will get be run as a > superuser if they have to use a superuser for PL changes; they're not going > to SET ROLE and RESET ROLE around the function changes. > > It also encourages users to make their untrusted functions SECURITY DEFINER > when still owned by a superuser, which we really don't want them doing > unnecessarily. > > In the name of making things more secure, we've made them less secure. > > Untrusted PLs should be GRANTable with a NOTICE or WARNING telling the admin > that GRANTing an untrusted PL effectively gives the user the ability to > escape to superuser. +1. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
В списке pgsql-hackers по дате отправления: