Re: Strange security issue with Superuser access

From: PT <wmoran(at)potentialtech(dot)com>
To: Andrzej Pilacik <cypisek77(at)gmail(dot)com>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: Strange security issue with Superuser access
Date: 2015-03-10 12:18:40
Message-ID: 20150310081840.a90c810e812bb5e1851ff087@potentialtech.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general


I've read this email over multiple times, and I don't understand
what your question is. I don't see what it is that you think is
working in an unexpected way, all the situations I see described
you claim work. Did you possible forget to put something in the
email or am I just a poor reader?

On Mon, 9 Mar 2015 17:00:14 -0400
Andrzej Pilacik <cypisek77(at)gmail(dot)com> wrote:

> I ran into this yesterday and I wanted to post this to see if this is
> working as expected or it is a bug.
>
> By creating 2 tables and creating a FK between them and then changing the
> owner of the tables to a group, I lost the ability to insert into the first
> table executing as SUPERUSER.
> I thought that SUPERUSER does not check any permissions...
>
> Scenario:
> create role rs;
> create schema ap authorization postgres;
>
> create table ap.table1 (a int)
> alter table ap.table1 owner to rs; -- this is a group with nobody in it
>
> create table ap.tablefk (b INT)
> alter table ap.tablefk owner to rs;
> insert into ap.tablefk values (12)
>
> select * from ap.tablefk
> select * from ap.table1
>
> alter table ap.table1 add constraint apk1 primary key (a)
> alter table ap.tablefk add constraint apkfk1 primary key (b)
>
> --- Insert as superuser
> Insert into ap.table1 values (12) --- works without an issue
>
>
> -- create a foreign key to second table
> ALTER TABLE ap.table1
> ADD CONSTRAINT id_fk FOREIGN KEY (a)
> REFERENCES ap.tablefk (b) MATCH SIMPLE
> ON UPDATE NO ACTION ON DELETE NO ACTION;
>
> --- Insert as superuser
> delete from ap.table1
> Insert into ap.table1 values (12) --- works without an issue
>
> /*
> It seems like even though you execute the insert as a superuser, the
> constraint check executes as the owner of the object (table) and therefore
> needs usage permission on the ap schema
> I thought that superuser privs are "god" like and always work regardless of
> the scenario
> */
>
> --- TO FIX
> grant usage on schema ap to rs;
> Insert into ap.table1 values (12)
>
>
> Can anyone explain how the FK constraint function works? Is it executed as
> the owner of the object. That is the only thing that would make sense for
> me.
>
> Thank you.
>
> Andrzej

--
PT <wmoran(at)potentialtech(dot)com>

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Andrzej Pilacik 2015-03-10 12:33:54 Re: Strange security issue with Superuser access
Previous Message hailong Li 2015-03-10 11:17:22 Re: The slave suddenly stopped with such DB log : "will not overwrite a used ItemId" and "heap_insert_redo: failed to add tuple"