Re: pre-proposal: permissions made easier

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Josh Berkus <josh(at)agliodbs(dot)com>
Cc: Jeff Davis <pgsql(at)j-davis(dot)com>, David Fetter <david(at)fetter(dot)org>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: pre-proposal: permissions made easier
Date: 2009-06-29 18:53:07
Message-ID: 17789.1246301587@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Josh Berkus <josh(at)agliodbs(dot)com> writes:
> The second, and bigger problem I can see is that this opens a whole new
> set of security holes by allowing an end-run around the existing access
> control structure with attackers can try to exploit.

Yeah. I'm very concerned about any scheme that invents additional
sources of permissions that aren't visible in the object's own ACL list.
Even if it's secure in its own terms, it'll blindside people and
programs who are used to the existing ways of doing things.

From what I recall of prior discussions, there is rough consensus that
the two types of facilities you mentioned (setting up default ACLs to be
applied at creation of objects created later, and providing a way to
change multiple objects' permissions with one GRANT) are desirable,
though there is plenty of argument about the details. Neither of these
result in creating any new sources of permissions --- a given object's
ACL is still the whole truth.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Peter Hunsberger 2009-06-29 18:55:31 Re: Query progress indication - an implementation
Previous Message Bernd Helmle 2009-06-29 18:52:52 Re: [PATCH] [v8.5] Security checks on largeobjects