Re: BUG #1830: Non-super-user must be able to copy from a

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Stephan Szabo <sszabo(at)megazone(dot)bigpanda(dot)com>
Cc: Bernard <bht(at)actrix(dot)gen(dot)nz>, Oliver Jowett <oliver(at)opencloud(dot)com>, pgsql-bugs(at)postgresql(dot)org, pgsql-general(at)postgresql(dot)org
Subject: Re: BUG #1830: Non-super-user must be able to copy from a
Date: 2005-08-19 13:15:52
Message-ID: 20050819131552.GB6026@ns.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs pgsql-general

* Stephan Szabo (sszabo(at)megazone(dot)bigpanda(dot)com) wrote:
>
> On Fri, 19 Aug 2005, Bernard wrote:
>
> > My suggestions for improving the COPY command so it can be used by
> > non-superuser users would be as follows:
>
> If you want to do this without switching to a different UNIX user, can't
> you already write a small SECURITY DEFINER function as a superuser that
> does the copy from file based on arguments and then give permissions to
> that function to the appropriate non-superusers?

Generally, I think this is the approach that makes the most sense. Of
course, the SECURITY DEFINER function should also check that the
arguments match a pre-defined list of valid file names/table names, etc.
Personally, I do like the idea of a user-level 'copy server-side files'
permission that could be granted to reduce the need for things to run as
superuser. I'd probably still set up a SECURITY DEFINER function to a
user with those permissions as an additional layer of security but it'd
be nice to not have to run the function as superuser.

I understand the concern that a user might be able to escalate to
superuser status using that permission but I feel that's more an issue
that an administrator needs to understand and deal with than a problem
with allowing that permission. Ways to avoid it would include: Using
PAM (it's at least somewhat difficult to crack a decent hash'd password
in /etc/shadow), Using local-socket-only ident only for superuser,
hacking Postgres to support Unix-like password hashing/checking (same
issue as w/ PAM though), hacking Postgres to support SASL (and then
using saslauthd so Postgres doesn't need access to the file which has
the password hashes directly), using Kerberos for authentication (my
personal favorite, Kerberos for users, local-ident only for superuser).

It is, of course, good to note that current Postgres 'md5' auth method
usage means that a compromise of pg_shadow (pg_authid) gives the
attacker superuser access immediately (the hash itself is the actual
authentication token, the password isn't actually interesting in that
case).

Thanks,

Stephen

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Jorg Heymans 2005-08-19 13:41:28 importing 0xe3809c character, aka wave dash
Previous Message Tino Wildenhain 2005-08-19 11:31:56 Re: [GENERAL] BUG #1830: Non-super-user must be able to copy

Browse pgsql-general by date

  From Date Subject
Next Message Bruce Momjian 2005-08-19 13:45:19 Re: copy from ignores \,
Previous Message Tom Lane 2005-08-19 12:57:54 Re: [GENERAL] Cascades Failing