From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
---|---|
To: | Sean Chittenden <sean(at)chittenden(dot)org> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL-patches <pgsql-patches(at)postgresql(dot)org> |
Subject: | Re: More network functions... |
Date: | 2004-05-26 18:35:09 |
Message-ID: | 200405261835.i4QIZ9518577@candle.pha.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-patches |
Patch applied. Thanks.
---------------------------------------------------------------------------
Sean Chittenden wrote:
> >> *) inet_(client|server)_(addr|port)() and necessary documentation for
> >> the four functions.
> >> *) area(PATH) and documentation.
> >> *) Checks for TEMP privs when creating objects in the temp schema
> >> (checks for any object created in a temp namespace).
> >> *) With the above change, current_user is now being used to check if
> >> CREATE TEMP TABLE should succeed.
> >> [ and it gets weirder from there ]
> >
> > Er, what?
> >
> > Could we possibly have this separated into multiple patches with some
> > coherent purpose to each?
>
> Sure.
>
> patch-network.txt contains the following bits:
>
> *) inet_(client|server)_(addr|port)() and necessary documentation for
> the four functions.
>
>
> > Also, please justify the temp-related changes. I was not aware that we
> > had any breakage there.
>
> patch-tmp-schema.txt contains the following bits:
>
> *) Changes pg_namespace_aclmask() so that the superuser is always able
> to create objects in the temp namespace.
> *) Changes pg_namespace_aclmask() so that if this is a temp namespace,
> objects are only allowed to be created in the temp namespace if the
> user has TEMP privs on the database. This encompasses all object
> creation, not just TEMP tables.
> *) InitTempTableNamespace() checks to see if the current user, not the
> session user, has access to create a temp namespace.
>
> The first two changes are necessary to support the third change. Now
> it's possible to revoke all temp table privs from non-super users and
> limiting all creation of temp tables/schemas via a function that's
> executed with elevated privs (security definer). Before this change,
> it was not possible to have a setuid function to create a temp
> table/schema if the session user had no TEMP privs.
>
> Originally you'd brought up some concerns about security problems, but
> this patch I believe addresses all of your prior concerns.
>
>
> patch-area-path.txt contains:
>
> *) Can now determine the area of a closed path.
>
>
> patch-dfmgr.txt contains:
>
> *) Small tweak to add the library path that's being expanded.
>
> I was using $lib/foo.so and couldn't easily figure out what the error
> message, "invalid macro name in dynamic library path" meant without
> looking through the source code. With the path in there, at least I
> know where to start looking in my config file.
>
>
> -sc
>
[ Attachment, skipping... ]
[ Attachment, skipping... ]
[ Attachment, skipping... ]
[ Attachment, skipping... ]
[ Attachment, skipping... ]
>
>
> --
> Sean Chittenden
>
> ---------------------------(end of broadcast)---------------------------
> TIP 8: explain analyze is your friend
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2004-05-26 18:48:37 | Re: [HACKERS] pg_autovacuum fixes |
Previous Message | Bruce Momjian | 2004-05-26 18:27:28 | Re: Bug in CVS pg_dump against 7.0.x |