Re: system administration functions with hardcoded superuser checks

On 19 December 2012 06:34, Magnus Hagander <magnus(at)hagander(dot)net> wrote:

> Granting executability on pg_read_xyz is pretty darn close to granting
> superuser, without explicitly asking for it. Well, you get "read only
> superuser". If we want to make that step as easy as just GRANT, we
> really need to write some *very* strong warnings in the documentation
> so that people realize this. I doubt most people will realize it
> unless we do that (and those who don't read the docs, whch is probably
> a majority, never will).

Good point.

Can we do that explicitly with fine grained superuser-ness?

GRANT SUPERUSER ON FUNCTION .... TO foo;

> If you use SECURITY DEFINER, you can limit the functions to *the
> specific files that you want to grant read on*. Which makes it
> possible to actually make it secure. E.g. you *don't* have to give
> full read to your entire database.

Even better point

> If you're comparing it to a blanket SECURITY DEFINER with no checks,
> then yes, it's a simpler way to fire the cannon into your own foot,
> yes. But if also gives you a way that makes it more likely that you
> don't *realize* that you're about to fire a cannon into your foot.

--
Simon Riggs http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services