Re: Granting SET and ALTER SYSTE privileges for GUCs

From: Mark Dilger <mark(dot)dilger(at)enterprisedb(dot)com>
To: Joshua Brindle <joshua(dot)brindle(at)crunchydata(dot)com>
Cc: Andrew Dunstan <andrew(at)dunslane(dot)net>, Robert Haas <robertmhaas(at)gmail(dot)com>, Jeff Davis <pgsql(at)j-davis(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Joe Conway <joe(at)crunchydata(dot)com>
Subject: Re: Granting SET and ALTER SYSTE privileges for GUCs
Date: 2021-12-15 18:18:05
Message-ID: FA57D4A2-B17F-46ED-92A6-22FF25FEA795@enterprisedb.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

> On Dec 15, 2021, at 10:02 AM, Joshua Brindle <joshua(dot)brindle(at)crunchydata(dot)com> wrote:
>
> Ah, I was actually requesting a hook where the acl check was done for
> setting a GUC, such that we could deny setting them in a hook,
> something that would be useful for the set_user extension
> (github.com/pgaudit/set_user)

Hmm, this seems orthogonal to the patch under discussion. This patch only adds a pg_setting_acl_aclcheck in ExecSetVariableStmt() for settings which have been explicitly granted, otherwise it works the traditional way (checking whether the setting is suset/userset). I don't think you'd get MAC support without finding a way to fire the hook for all settings, regardless of their presence in the new pg_setting_acl table. That is hard, because InvokeObjectPostAlterHook expects the classId (SettingAclRelationId) and the objectId (pg_setting_acl.oid), but you don't have those for many (most?) settings. As discussed upthread, we *do not* want to force an entry into the table for all settings, only for ones that have been explicitly granted.

Do you agree? I'm happy to support MAC in this patch if can explain a simple way of doing so.

> but having a hook for grant/revoke is
> also helpful.

Yes, I see no reason to rip this out.


Mark Dilger
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Bossart, Nathan 2021-12-15 18:32:02 Re: archive modules
Previous Message Shay Rojansky 2021-12-15 18:17:27 Re: Privilege required for IF EXISTS event if the object already exists