Re: RFC: Non-user-resettable SET SESSION AUTHORISATION

From: Noah Misch <noah(at)leadboat(dot)com>
To: Robert Haas <robertmhaas(at)gmail(dot)com>
Cc: Simon Riggs <simon(at)2ndquadrant(dot)com>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Bruce Momjian <bruce(at)momjian(dot)us>, José Luis Tallón <jltallon(at)adv-solutions(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Craig Ringer <craig(at)2ndquadrant(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>
Subject: Re: RFC: Non-user-resettable SET SESSION AUTHORISATION
Date: 2015-05-29 00:43:42
Message-ID: 20150529004342.GA4121096@tornado.leadboat.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Tue, May 26, 2015 at 10:06:59PM -0400, Robert Haas wrote:
> On Sat, May 23, 2015 at 8:14 PM, Noah Misch <noah(at)leadboat(dot)com> wrote:
> > On Tue, May 19, 2015 at 04:49:26PM -0400, Robert Haas wrote:
> >> A protocol extension avoids all of that trouble, and can be target for
> >> 9.6 just like any other approach we might come up with. I actually
> >> suspect the protocol extension will be FAR easier to fully secure, and
> >> thus less work, not more.
> >
> > All true. Here's another idea. Have the pooler open one additional
> > connection, for out-of-band signalling. Add a pair of functions:
> >
> > pg_userchange_grant(recipient_pid int, "user" oid)
> > pg_userchange_accept(sender_pid int, "user" oid)
> >
> > To change the authenticated user of a pool connection, the pooler would call
> > pg_userchange_grant in the signalling connection and pg_userchange_accept in
> > the target connection. This requires no protocol change or confidential
> > nonce. The inevitably-powerful signalling user is better insulated from other
> > users, because the pool backends have no need to become that user at any
> > point. Bugs in the pooler's protocol state machine are much less likely to
> > enable privilege escalation. On the other hand, it can't be quite as fast as
> > the other ideas on this thread.
>
> I'm sure this could be made to work, but it would require complex
> signalling in return for no obvious value. I don't see avoiding a
> protocol extension as particularly beneficial. New protocol messages
> that are sent by the server cause a hard compatibility break for
> clients, but new protocol messages that are client-initiated and late
> enough in the protocol flow that the client knows the server version
> have no such problem.

I didn't realize a protocol addition could be that simple, but you're right.

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Peter Eisentraut 2015-05-29 00:51:01 Re: Patch to improve a few appendStringInfo* calls
Previous Message Peter Eisentraut 2015-05-29 00:12:41 Re: hstore_plpython regression test does not work on Python 3