Re: role self-revocation
| От | David G. Johnston |
|---|---|
| Тема | Re: role self-revocation |
| Дата | |
| Msg-id | CAKFQuwYKx_yDo1F6hEhKwe2f__VyxxfFnQ3nGBrBSYqhWfSXJA@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: role self-revocation (Robert Haas <robertmhaas@gmail.com>) |
| Ответы |
Re: role self-revocation
|
| Список | pgsql-hackers |
On Mon, Mar 7, 2022 at 11:18 AM Robert Haas <robertmhaas@gmail.com> wrote:
In terms of how
things work today, see Joshua Brindle's email about the use of groups
in pg_hba.conf. That is an excellent example of how removing oneself
from a group could enable one to bypass security restrictions intended
by the DBA.
You mean the one that was based upon your "ooops"...I discounted that immediately because members cannot revoke their own membership in a group unless they were given WITH ADMIN OPTION on that group.
The mere fact that the pg_hba.conf concern raised there hasn't been reported as a live issue suggests the lack of any meaningful design flaw here.
That isn't to say that having a LOGIN role get an automatic temporary WITH ADMIN OPTION on itself is a good thing - but there isn't any privilege escalation vector here to be squashed. There is just a "DBAs should treat LOGIN roles as leaf nodes" expectation in which case there would be no superuser granted memberships to be removed.
David J.
В списке pgsql-hackers по дате отправления: