Re: system administration functions with hardcoded superuser checks

On 18.12.2012 18:38, Pavel Stehule wrote:
> 2012/12/18 Peter Eisentraut <peter_e(at)gmx(dot)net>:
>> There are some system administration functions that have hardcoded
>> superuser checks, specifically:
>>
>> pg_reload_conf
>> pg_rotate_logfile
>>
>> Some of these are useful in monitoring or maintenance tools, and the
>> hardcoded superuser checks require that these tools run with maximum
>> privileges. Couldn't we just install these functions without default
>> privileges and allow users to grant privileges as necessary?
>
> isn't it too strong gun for some people ???
>
> I believe so some one can decrease necessary rights and it opens doors
> to system.

No one was speaking about making them executable by a wider group of
users by default (i.e. decreasing necessary rights). Today, when you
need to provide the EXECUTE privilege on those functions, you have three
options

(a) make him a superuser - obviously not a good choice

(b) create a SECURITY DEFINER wrapper **for each function separately**

(c) deny to do that

Being able to do a plain GRANT on the function is merely a simpler way
to do (b). It has advantages (less objects/functions to care about) and
disadvantages (e.g. you can't do additional parameter values checks).

>> pg_read_file
>> pg_read_file_all
>> pg_read_binary_file
>> pg_read_binary_file_all
>> pg_stat_file
>> pg_ls_dir
>
> is relative dangerous and I am not for opening these functions.
>
> power user can simply to write extension, but he knows what he does/

I see only dangers that are already present.

Tomas