untrusted PLs should be GRANTable

From: Craig Ringer <craig(at)2ndquadrant(dot)com>
To: PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: untrusted PLs should be GRANTable
Date: 2018-07-17 05:20:29
Message-ID: CAMsr+YGXjdQs2cG0R-a59C-HW3aAdcqOHdC1SR7SHVh+2J6cxA@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Hi all

A user has raised the point that our refusal to GRANT rights to untrusted
PLs is counterproductive and inconsistent with how we behave elsewhere.

Yes, untrusted PLs can be escaped to gain superuser rights, often trivially.

But we allow this:

CREATE ROLE superme SUPERUSER NOINHERIT;
GRANT superme TO me;

.... and really, GRANTing an untrusted PL is similar.

Forcing users to create their PLs as a superuser increases the routine use
of superuser accounts. Most users' DDL deploy scripts will get be run as a
superuser if they have to use a superuser for PL changes; they're not going
to SET ROLE and RESET ROLE around the function changes.

It also encourages users to make their untrusted functions SECURITY DEFINER
when still owned by a superuser, which we really don't want them doing
unnecessarily.

In the name of making things more secure, we've made them less secure.

Untrusted PLs should be GRANTable with a NOTICE or WARNING telling the
admin that GRANTing an untrusted PL effectively gives the user the ability
to escape to superuser.

--
Craig Ringer http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Kato, Sho 2018-07-17 05:44:41 RE: How to make partitioning scale better for larger numbers of partitions
Previous Message Amit Langote 2018-07-17 04:59:35 Re: pgsql: Allow UNIQUE indexes on partitioned tables