From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Vaishnavi Prabakaran <vaishnaviprabakaran(at)gmail(dot)com>, PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Simplify ACL handling for large objects and removal of superuser() checks |
Date: | 2017-11-10 15:50:47 |
Message-ID: | CA+TgmobeV8M6Rch9LBf8hV3bCSRnJTK9BCbBPnZX5XYSFiUJaA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Fri, Nov 10, 2017 at 10:34 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> I think as far as that goes, we can just change to "Therefore, by default
> their use is restricted ...". Then I suggest adding a <caution> para
> after that, with wording along the lines of
>
> It is possible to GRANT use of server-side lo_import and lo_export to
> non-superusers, but careful consideration of the security implications
> is required. A malicious user of such privileges could easily parlay
> them into becoming superuser (for example by rewriting server
> configuration files), or could attack the rest of the server's file
> system without bothering to obtain database superuser privileges as
> such. Access to roles having such privilege must therefore be guarded
> just as carefully as access to superuser roles. Nonetheless, if use
> of server-side lo_import or lo_export is needed for some routine task,
> it's safer to use a role of this sort than full superuser privilege,
> as that helps to reduce the risk of damage from accidental errors.
+1. That seems like great language to me.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2017-11-10 15:54:57 | Re: Add some const decorations to prototypes |
Previous Message | Fabrízio de Royes Mello | 2017-11-10 15:49:14 | Re: [PATCH] A hook for session start |