Re: Non-superuser subscription owners
Andres Freund <andres@anarazel.de>
From: Andres Freund <andres@anarazel.de>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Jeff Davis <pgsql@j-davis.com>, Mark Dilger <mark.dilger@enterprisedb.com>, Amit Kapila <amit.kapila16@gmail.com>, Andrew Dunstan <andrew@dunslane.net>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2023-03-02T00:34:40Z
Lists: pgsql-hackers
Hi, On 2023-02-28 08:37:02 -0500, Robert Haas wrote: > On Mon, Feb 27, 2023 at 7:37 PM Jeff Davis <pgsql@j-davis.com> wrote: > > > Yeah. That's the idea I was floating, at least. > > > > Isn't that a hard problem; maybe impossible? > > It doesn't seem that hard to me; maybe I'm missing something. > > The existing SECURITY_RESTRICTED_OPERATION flag basically prevents you > from tinkering with the session state. If we also had a similar flags > like DATABASE_READS_PROHIBITED and DATABASE_WRITES_PROHIBITED (or just > a combined DATABASE_ACCESS_PROHIBITED flag) I think that would be > pretty close to what we need. The idea would be that, when a user > executes a function or procedure owned by a user that they don't trust > completely, we'd set > SECURITY_RESTRICTED_OPERATION|DATABASE_READS_PROHIBITED|DATABASE_WRITES_PROHIBITED. > And we could provide a user with a way to express the degree of trust > they have in some other user or perhaps even some specific function, > e.g. ISTM that this would require annotating most functions in the system. There's many problems besides accessing database contents. Just a few examples: - dblink functions to access another system / looping back - pg_read_file()/pg_file_write() allows almost arbitrary mischief - pg_stat_reset[_shared]() - creating/dropping logical replication slots - use untrusted PL functions - many more A single wrongly annotated function would be sufficient to escape. This includes user defined functions. This basically proposes that we can implement a safe sandbox for executing arbitrary code in a privileged context. IMO history suggests that that's a hard thing to do. Am I missing something? Greetings, Andres Freund
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Fix possible crash in tablesync worker.
- b5c517379a40 16.0 landed
-
Display 'password_required' option for \dRs+ command.
- 19e65dff38bd 16.0 landed
-
Restart the apply worker if the 'password_required' option is changed.
- c1cc4e688b60 16.0 landed
-
Fix possible logical replication crash.
- e7e7da2f8d57 16.0 landed
-
Add new predefined role pg_create_subscription.
- c3afe8cf5a1e 16.0 landed
-
Expand AclMode to 64 bits
- 7b378237aa80 16.0 cited
-
More cleanup of a2ab9c06ea.
- 96a6f11c0625 15.0 landed
-
Respect permissions within logical replication.
- a2ab9c06ea15 15.0 landed
-
Improve table locking behavior in the face of current DDL.
- 2ad36c4e44c8 9.2.0 cited