Re: Extension pg_trgm, permissions and pg_dump order

Nathan Bossart <nathandbossart@gmail.com>

From: Nathan Bossart <nathandbossart@gmail.com>
To: Noah Misch <noah@leadboat.com>
Cc: Michael Paquier <michael@paquier.xyz>, pgsql-bugs@lists.postgresql.org, Färber, Franz-Josef (StMUK) <Franz-Josef.Faerber@stmuk.bayern.de>, Tom Lane <tgl@sss.pgh.pa.us>
Date: 2022-06-22T16:25:50Z
Lists: pgsql-bugs, pgsql-general
On Tue, Jun 21, 2022 at 08:37:04PM -0700, Noah Misch wrote:
> On Tue, Jun 21, 2022 at 10:56:16AM -0700, Nathan Bossart wrote:
>> On Wed, Jun 15, 2022 at 10:42:18PM -0700, Noah Misch wrote:
>> > +		 * Identify the opclass to use.  Use of ddl_userid is necessary due to
>> > +		 * ACL checks therein.  This is safe despite opclasses containing
>> > +		 * opaque expressions (specifically, functions), because only
>> > +		 * superusers can define opclasses.
>> 
>> It's not clear to me why the fact that only superusers can define opclasses
>> makes this safe.
> 
> 		classOidP[attn] = ResolveOpClass(attribute->opclass,
> 										 atttype,
> 										 accessMethodName,
> 										 accessMethodId);
> 
> To write the comment, I pondered how those four arguments could conceivably
> lead ResolveOpClass() to locate Trojan code.  Since only superusers can define
> opclasses, we can assume the catalog entries of an opclass do not point to
> Trojan code.  (The superuser could just do the mischief directly, rather than
> going to extra trouble to set a trap for later.)  If you see a hole in that
> thinking, please do share.

Thanks for clarifying.  That makes sense to me.

-- 
Nathan Bossart
Amazon Web Services: https://aws.amazon.com



Commits

  1. CREATE INDEX: use the original userid for more ACL checks.