Re: local security

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: "David M(dot) Kaplan" <dkaplan(at)bio(dot)puc(dot)cl>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: local security
Date: 2001-04-17 14:16:14
Message-ID: 23446.987516974@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

"David M. Kaplan" <dkaplan(at)bio(dot)puc(dot)cl> writes:
> ... If you do that, you
> can no longer do things like restores from backups without editing the
> configuration file because postgresql wont let you change users. This is of
> course not a great problem, but it is a bit annoying. What I really want is
> that normal users can only logon as themselves, but superusers can logon as
> anyone.

BTW, this has already been discussed (look in the pghackers archives),
and I believe the consensus was that the most useful approach is to make
Postgres distinguish between "real" userid (what you logged in as) and
"effective" userid (what's used for object creation and permission
checks). For unprivileged users these would be equal and unchanging
throughout a session, but if your real ID is a Postgres superuser then
you would be allowed to SET the effective-userid variable to different
values. Then, for example, a pg_dump script would use "SET
effective_userid" instead of "\connect" commands to change user
identity, and a whole lot of the problems with executing pg_dump and
pg_dumpall scripts under secure authentication models would go away.

We need a notion of current effective userid anyway to allow rules and
functions to execute as though they are "setuid" programs.

I think Peter E. has laid some of the groundwork for this mechanism in
7.1, but work is still needed.

regards, tom lane

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Tom Lane 2001-04-17 14:24:54 Re: parse error at or near $1
Previous Message Tom Lane 2001-04-17 14:06:04 Re: local security