pg_parameter_aclcheck() and trusted extensions
Nathan Bossart <nathandbossart@gmail.com>
From: Nathan Bossart <nathandbossart@gmail.com>
To: pgsql-hackers@postgresql.org
Date: 2022-07-06T22:47:27Z
Lists: pgsql-hackers
Hi hackers, I found that as of a0ffa88, it's possible to set a PGC_SUSET GUC defined by a trusted extension as a non-superuser. I've confirmed that this only affects v15 and later versions. postgres=# CREATE ROLE testuser; CREATE ROLE postgres=# GRANT CREATE ON DATABASE postgres TO testuser; GRANT postgres=# SET ROLE testuser; SET postgres=> SET plperl.on_plperl_init = 'test'; SET postgres=> CREATE EXTENSION plperl; CREATE EXTENSION postgres=> SELECT setting FROM pg_settings WHERE name = 'plperl.on_plperl_init'; setting --------- test (1 row) On previous versions, the CREATE EXTENSION command emits the following WARNING, and the setting does not take effect: WARNING: permission denied to set parameter "plperl.on_plperl_init" I think the call to superuser_arg() in pg_parameter_aclmask() is causing set_config_option() to bypass the normal privilege checks, as execute_extension_script() will have set the user ID to the bootstrap superuser for trusted extensions like plperl. I don't have a patch or a proposal at the moment, but I thought it was worth starting the discussion. -- Nathan Bossart Amazon Web Services: https://aws.amazon.com
Commits
-
Fix missed corner cases for grantable permissions on GUCs.
- a2944d872452 15.0 landed
- 13d838815148 16.0 landed