Re: Extension pg_trgm, permissions and pg_dump order
Nathan Bossart <nathandbossart@gmail.com>
From: Nathan Bossart <nathandbossart@gmail.com>
To: Noah Misch <noah@leadboat.com>
Cc: Michael Paquier <michael@paquier.xyz>, pgsql-bugs@lists.postgresql.org, Färber, Franz-Josef (StMUK) <Franz-Josef.Faerber@stmuk.bayern.de>, Tom Lane <tgl@sss.pgh.pa.us>
Date: 2022-06-22T16:25:50Z
Lists: pgsql-bugs, pgsql-general
On Tue, Jun 21, 2022 at 08:37:04PM -0700, Noah Misch wrote: > On Tue, Jun 21, 2022 at 10:56:16AM -0700, Nathan Bossart wrote: >> On Wed, Jun 15, 2022 at 10:42:18PM -0700, Noah Misch wrote: >> > + * Identify the opclass to use. Use of ddl_userid is necessary due to >> > + * ACL checks therein. This is safe despite opclasses containing >> > + * opaque expressions (specifically, functions), because only >> > + * superusers can define opclasses. >> >> It's not clear to me why the fact that only superusers can define opclasses >> makes this safe. > > classOidP[attn] = ResolveOpClass(attribute->opclass, > atttype, > accessMethodName, > accessMethodId); > > To write the comment, I pondered how those four arguments could conceivably > lead ResolveOpClass() to locate Trojan code. Since only superusers can define > opclasses, we can assume the catalog entries of an opclass do not point to > Trojan code. (The superuser could just do the mischief directly, rather than > going to extra trouble to set a trap for later.) If you see a hole in that > thinking, please do share. Thanks for clarifying. That makes sense to me. -- Nathan Bossart Amazon Web Services: https://aws.amazon.com
Commits
-
CREATE INDEX: use the original userid for more ACL checks.
- 88b39e61486a 10.22 landed
- 6d49cc28613b 11.17 landed
- 93731d549e15 12.12 landed
- 8782ce49e4d0 13.8 landed
- ace9973867c2 14.5 landed
- 00377b9a02b8 15.0 landed