From: | Bingyu Shen <ahshenbingyu(at)gmail(dot)com> |
---|---|
To: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Log enhancement for aclcheck permissions failures |
Date: | 2021-04-30 23:55:18 |
Message-ID: | CA+hTCOigphb0MRDbB4sOBCc6CFoQR_i0m9UamzBPYvd968Oq6w@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Hi hackers,
I was wondering if we can improve the error messages for acl permission
failures.
Current implementation to report errors is in "backend/catalog/aclchk.c"
void aclcheck_error(AclResult aclerr, ObjectType objtype, const char
*objectname);
based on the AclResult type, it print log messages like
"permission denied for schema %s"
which tells the admins what could be the domain of the permission-deny,
like table name or schema name.
However, I find that the log messages *lack* more details, i.e., the
*exact permission* that causes the permission-deny. For the novice users,
they may end up over-granting the permission to fix the issues
and cause security vulnerability in the database.
I think the log messages can be better if we add some diagnostic
information like which *role* is denied and what *permission* it lacks.
This way the users know which permission to grant exactly
without the trial-and-errors.
It is not hard to improve the log messages after looking into the code.
Most places use the function aclcheck_error() exactly after the permission
check, e.g., pg_type_aclcheck(), pg_tablespace_aclcheck().
For example, in backend/commands/dbcommands.c, it checks whether
the user has CREATE permission.
aclresult = pg_tablespace_aclcheck(dst_deftablespace, GetUserId(),
ACL_CREATE);
if (aclresult != ACLCHECK_OK)
aclcheck_error(aclresult, OBJECT_TABLESPACE, tablespacename);
We can simply change the aclcheck_error() function parameter a bit,
then we can pass the exact permission to the function, and tell the users
exactly why the permission is denied. Something would be like
void aclcheck_error(AclResult aclerr, ObjectType objtype,
const char *objectname,
const char *privilegename)
Any thoughts would be appreciated. Thanks!
Best regards,
Bingyu
From | Date | Subject | |
---|---|---|---|
Next Message | Chapman Flack | 2021-05-01 00:02:09 | Re: Granting control of SUSET gucs to non-superusers |
Previous Message | Stephen Frost | 2021-04-30 23:28:05 | Re: Granting control of SUSET gucs to non-superusers |