Re: untrusted PLs should be GRANTable

Поиск
Список
Период
Сортировка
От Craig Ringer
Тема Re: untrusted PLs should be GRANTable
Дата
Msg-id CAMsr+YE41ka8bUP+P2aHECeRC=deEEpHCb69Uwk+efgbnr_okw@mail.gmail.com
обсуждение исходный текст
Ответ на Re: untrusted PLs should be GRANTable  (Stephen Frost <sfrost@snowman.net>)
Список pgsql-hackers
Дерево обсуждения
On 19 July 2018 at 08:23, Stephen Frost <sfrost@snowman.net> wrote:
Greetings,

* Craig Ringer (craig@2ndquadrant.com) wrote:
> Untrusted PLs should be GRANTable with a NOTICE or WARNING telling the
> admin that GRANTing an untrusted PL effectively gives the user the ability
> to escape to superuser.

I don't know that we really want to get into the business of issuing a
NOTICE or WARNING in such cases.  We don't do that in a lot of other
cases where non-superusers can be GRANT'd access which would allow them
to become a superuser and if we start doing it now then we're going to
need to go back and change the existing places to have such NOTICE or
WARNING, or we'll be inconsistent about it, which would be worse.  I
also worry that we'd start wanting to have NOTICEs for when we are
allowing users to GRANT roles (like pg_monitor) that might get access to
data that isn't obvious, even if they aren't able to become a superuser
and it just gets ugly.


Good point.

I was mostly trying to anticipate concerns about people unwittingly granting access to untrusted languages.

But hey, if you're using GRANT you should know what it means.

Alternately,

    GRANT USAGE ON [UNTRUSTED] LANGUAGE plpythonu;

and if you don't write UNTRUSTED we emit the existing error?

It at least means people have to think about it and recognise the difference.

Not really convinced it's worth the hassle, but the "u" suffix isn't what you'd call clearly a self-documenting warning of superuser-equivalent rights either.

--
 Craig Ringer                   http://www.2ndQuadrant.com/
 PostgreSQL Development, 24x7 Support, Training & Services

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Etsuro Fujita
Дата:
Сообщение: Re: Expression errors with "FOR UPDATE" and postgres_fdw with partitionwise join enabled.
Следующее
От: Alvaro Herrera
Дата:
Сообщение: Re: Possible bug in logical replication.