| From: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
|---|---|
| To: | Bruce Momjian <bruce(at)momjian(dot)us> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: ALTER ROLE/DATABASE RESET ALL versus security |
| Date: | 2010-03-18 15:48:57 |
| Message-ID: | 20100318154857.GA3883@alvh.no-ip.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Bruce Momjian wrote:
> Alvaro Herrera wrote:
> > Tom Lane wrote:
> > > Alvaro Herrera <alvherre(at)commandprompt(dot)com> writes:
> > > > Tom Lane wrote:
> > > >> It looks to me like the code in AlterSetting() will allow an ordinary
> > > >> user to blow away all settings for himself. Even those that are for
> > > >> SUSET variables and were presumably set for him by a superuser. Isn't
> > > >> this a security hole? I would expect that an unprivileged user should
> > > >> not be able to change such settings, not even to the extent of
> > > >> reverting to the installation-wide default.
> > >
> > > > Yes, it is, but this is not a new hole. This works just fine in 8.4
> > > > too:
> > >
> > > So I'd argue for changing it in 8.4 too.
> >
> > Understood. I'm starting to look at what this requires.
>
> Any progress on this?
I have come up with the attached patch. I haven't tested it fully yet,
and I need to backport it. The gist of it is: we can't simply remove
the pg_db_role_setting tuple, we need to ask GUC to reset the settings
array, for which it checks superuser-ness on each setting.
--
Alvaro Herrera http://www.CommandPrompt.com/
PostgreSQL Replication, Consulting, Custom Development, 24x7 support
| Attachment | Content-Type | Size |
|---|---|---|
| su-settings.patch | text/x-diff | 6.3 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2010-03-18 15:59:47 | Re: ALTER ROLE/DATABASE RESET ALL versus security |
| Previous Message | Chris Browne | 2010-03-18 15:31:55 | Re: An idle thought |