| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Hannu Krosing <hannuk(at)google(dot)com>, Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at>, Andres Freund <andres(at)anarazel(dot)de>, Jeff Davis <pgsql(at)j-davis(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>, Robert Pang <robertpang(at)google(dot)com> |
| Subject: | Re: Hardening PostgreSQL via (optional) ban on local file system access |
| Date: | 2022-06-30 17:25:41 |
| Message-ID: | Yr3clQDNHgPQGx08@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Thu, Jun 30, 2022 at 11:52:20AM -0400, Robert Haas wrote:
> I don't think this would be very convenient in most scenarios, and I
> think it would also be difficult to implement correctly. I don't think
> you can get by with just having superuser() return false sometimes
> despite pg_authid.rolsuper being true. There's a lot of subtle
> assumptions in the code to the effect that the properties of a session
> are basically stable unless some SQL is executed which changes things.
> I think if we start injecting hacks like this it may seem to work in
> light testing but we'll never get to the end of the bug reports.
Yeah, seems it would have to be specified per-session, but how would you
specify a specific session before the session starts?
--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com
Indecision is a decision. Inaction is an action. Mark Batterson
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2022-06-30 17:27:13 | Re: making relfilenodes 56 bits |
| Previous Message | Peter Geoghegan | 2022-06-30 17:20:35 | Re: vacuum verbose no longer reveals anything about pins |