Re: allowing for control over SET ROLE
Noah Misch <noah@leadboat.com>
From: Noah Misch <noah@leadboat.com>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Jeff Davis <pgsql@j-davis.com>, Stephen Frost <sfrost@snowman.net>, Nathan Bossart <nathandbossart@gmail.com>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2023-01-13T07:17:30Z
Lists: pgsql-hackers
On Thu, Jan 12, 2023 at 10:21:32AM -0500, Robert Haas wrote: > On Thu, Jan 12, 2023 at 12:09 AM Noah Misch <noah@leadboat.com> wrote: > > > --- a/doc/src/sgml/ref/grant.sgml > > > +++ b/doc/src/sgml/ref/grant.sgml > > > @@ -298,6 +298,20 @@ GRANT <replaceable class="parameter">role_name</replaceable> [, ...] TO <replace > > > This option defaults to <literal>TRUE</literal>. > > > </para> > > > > > > + <para> > > > + To create an object owned by another role or give ownership of an existing > > > + object to another role, you must have the ability to <literal>SET > > > + ROLE</literal> to that role; otherwise, commands such as <literal>ALTER > > > + ... OWNER TO</literal> or <literal>CREATE DATABASE ... OWNER</literal> > > > + will fail. However, a user who inherits the privileges of a role but does > > > + not have the ability to <literal>SET ROLE</literal> to that role may be > > > + able to obtain full access to the role by manipulating existing objects > > > + owned by that role (e.g. they could redefine an existing function to act > > > + as a Trojan horse). Therefore, if a role's privileges are to be inherited > > > + but should not be accessible via <literal>SET ROLE</literal>, it should not > > > + own any SQL objects. > > > + </para> > > > > I recommend deleting the phrase "are to be inherited but" as superfluous. The > > earlier sentence's mention will still be there. WITH SET FALSE + NOINHERIT is > > a combination folks should not use or should use only when the role has no > > known privileges. > > I don't think I agree with this suggestion. If the privileges aren't > going to be inherited, it doesn't matter whether the role owns SQL > objects or not. And I think that there are two notable use cases for > SET FALSE + NOINHERIT (or SET FALSE + INHERIT FALSE). First, the a > grant with SET FALSE, INHERIT FALSE, ADMIN TRUE gives you the ability > to administer a role without inheriting its privileges or being able > to SET ROLE to it. You could grant yourself those abilities if you > want, but you don't have them straight off. In fact, CREATE ROLE > issued by a non-superuser creates such a grant implicitly as of > cf5eb37c5ee0cc54c80d95c1695d7fca1f7c68cb. That is a valid use case, but Trojan horse matters don't apply there. > Second, SET FALSE, INHERIT > FALSE could be used to set up groups for pg_hba.conf matching without > conferring privileges. That is factual, but doing this and having that role own objects shouldn't be considered a best practice. It's a bit like using the address of a function as an enum value. Instead of role own_some_objects_and_control_hba, the best practice would be to have two roles, own_some_objects / control_hba. Since the text is superfluous but not wrong, I won't insist.
Commits
-
More documentation update for GRANT ... WITH SET OPTION.
- 3cdf7502f85c 16.0 landed
-
Restrict the privileges of CREATEROLE users.
- cf5eb37c5ee0 16.0 cited
-
Add support for GRANT SET in psql tab completion
- 9d0cf574920f 16.0 landed
-
Add a SET option to the GRANT command.
- 3d14e171e9e2 16.0 landed
-
Allow grant-level control of role inheritance behavior.
- e3ce2de09d81 16.0 cited