Re: [HACKERS] Simplify ACL handling for large objects and removal ofsuperuser() checks

On Sat, Nov 11, 2017 at 9:01 AM, Michael Paquier
<michael.paquier@gmail.com> wrote:
> On Sat, Nov 11, 2017 at 12:50 AM, Robert Haas <robertmhaas@gmail.com> wrote:
>> On Fri, Nov 10, 2017 at 10:34 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>>> I think as far as that goes, we can just change to "Therefore, by default
>>> their use is restricted ...".  Then I suggest adding a <caution> para
>>> after that, with wording along the lines of
>>>
>>>     It is possible to GRANT use of server-side lo_import and lo_export to
>>>     non-superusers, but careful consideration of the security implications
>>>     is required.  A malicious user of such privileges could easily parlay
>>>     them into becoming superuser (for example by rewriting server
>>>     configuration files), or could attack the rest of the server's file
>>>     system without bothering to obtain database superuser privileges as
>>>     such.  Access to roles having such privilege must therefore be guarded
>>>     just as carefully as access to superuser roles.  Nonetheless, if use
>>>     of server-side lo_import or lo_export is needed for some routine task,
>>>     it's safer to use a role of this sort than full superuser privilege,
>>>     as that helps to reduce the risk of damage from accidental errors.
>>
>> +1.  That seems like great language to me.
>
> +1. Not convinced that mentioning wrappers is worth the complication.
> Experienced admins likely already know such matters.

For archives' sake, doc improvements are committed as of 6d77652.
-- 
Michael