pg_parameter_aclcheck() and trusted extensions

Nathan Bossart <nathandbossart@gmail.com>

From: Nathan Bossart <nathandbossart@gmail.com>
To: pgsql-hackers@postgresql.org
Date: 2022-07-06T22:47:27Z
Lists: pgsql-hackers
Hi hackers,

I found that as of a0ffa88, it's possible to set a PGC_SUSET GUC defined by
a trusted extension as a non-superuser.  I've confirmed that this only
affects v15 and later versions.

	postgres=# CREATE ROLE testuser;
	CREATE ROLE
	postgres=# GRANT CREATE ON DATABASE postgres TO testuser;
	GRANT
	postgres=# SET ROLE testuser;
	SET
	postgres=> SET plperl.on_plperl_init = 'test';
	SET
	postgres=> CREATE EXTENSION plperl;
	CREATE EXTENSION
	postgres=> SELECT setting FROM pg_settings WHERE name = 'plperl.on_plperl_init';
	 setting 
	---------
	 test
	(1 row)

On previous versions, the CREATE EXTENSION command emits the following
WARNING, and the setting does not take effect:

	WARNING:  permission denied to set parameter "plperl.on_plperl_init"

I think the call to superuser_arg() in pg_parameter_aclmask() is causing
set_config_option() to bypass the normal privilege checks, as
execute_extension_script() will have set the user ID to the bootstrap
superuser for trusted extensions like plperl.  I don't have a patch or a
proposal at the moment, but I thought it was worth starting the discussion.

-- 
Nathan Bossart
Amazon Web Services: https://aws.amazon.com



Commits

  1. Fix missed corner cases for grantable permissions on GUCs.