| From: | Andrey Borodin <x4mmm(at)yandex-team(dot)ru> |
|---|---|
| To: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Allowing to create LEAKPROOF functions to non-superuser |
| Date: | 2021-04-12 20:31:30 |
| Message-ID: | F2C8AC70-D34F-4E43-97E2-C6A8E1FA535A@yandex-team.ru |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi hackers!
This thread continues discussion of allowing something to non-superuser, AFAIK previous was [0].
Currently only superuser is allowed to create LEAKPROOF functions because leakproof functions can see tuples which have not yet been filtered out by security barrier views or row level security policies.
But managed cloud services typically do not provide superuser roles. I'm thinking about allowing the database owner or someone with BYPASSRLS flag to create these functions. Or, perhaps, pg_read_all_data.
And I'm trying to figure out if there are any security implications. Consider a user who already has access to all user data in a DB and the ability to create LEAKPROOF functions. Can they gain a superuser role or access something else that is available only to a superuser?
Is it possible to relax requirements for the creator of LEAKPROOF functions in upstream Postgres?
I'll appreciate any comments. Thanks!
Best regards, Andrey Borodin.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2021-04-12 20:37:01 | Re: Allowing to create LEAKPROOF functions to non-superuser |
| Previous Message | Alvaro Herrera | 2021-04-12 19:36:41 | Re: Proposal for working on open source with PostgreSQL |