Re: CREATEROLE and role ownership hierarchies

Shinya Kato <shinya11.kato@oss.nttdata.com>

From: Shinya Kato <Shinya11.Kato@oss.nttdata.com>
To: Mark Dilger <mark.dilger@enterprisedb.com>
Cc: "Bossart, Nathan" <bossartn@amazon.com>, PostgreSQL-development <pgsql-hackers@postgresql.org>, Andrew Dunstan <andrew@dunslane.net>, Jeff Davis <pgsql@j-davis.com>
Date: 2021-10-28T02:32:03Z
Lists: pgsql-hackers
On 2021-10-28 07:21, Mark Dilger wrote:
>>> On Oct 25, 2021, at 10:09 PM, Shinya Kato 
>>> <Shinya11.Kato@oss.nttdata.com> wrote:
> 
>>> Hi! Thank you for the patch.
>>> I too think that CREATEROLE escalation attack is problem.
>>> 
>>> I have three comments.
>>> 1. Is there a function to check the owner of a role, it would be nice 
>>> to be able to check with \du or pg_roles view.
>> 
>> No, but that is a good idea.
> 
> These two ideas are implemented in v2.  Both \du and pg_roles show the
> owner information.
Thank you. It seems good to me.

By the way, I got the following execution result.
I was able to add the membership of a role with a different owner.
In brief, "a" was able to change the membership of owner "shinya".
Is this the correct behavior?
---
postgres=# CREATE ROLE a LOGIN;
CREATE ROLE
postgres=# GRANT pg_execute_server_program TO a WITH ADMIN OPTION;
GRANT ROLE
postgres=# CREATE ROLE b;
CREATE ROLE
postgres=# \du a
                          List of roles
  Role name | Owner  | Attributes |          Member of
-----------+--------+------------+-----------------------------
  a         | shinya |            | {pg_execute_server_program}

postgres=# \du b
                  List of roles
  Role name | Owner  |  Attributes  | Member of
-----------+--------+--------------+-----------
  b         | shinya | Cannot login | {}

postgres=# \c - a
You are now connected to database "postgres" as user "a".
postgres=> GRANT pg_execute_server_program TO b;
GRANT ROLE
postgres=> \du b
                           List of roles
  Role name | Owner  |  Attributes  |          Member of
-----------+--------+--------------+-----------------------------
  b         | shinya | Cannot login | {pg_execute_server_program}
---

-- 
Regards,

--
Shinya Kato
Advanced Computing Technology Center
Research and Development Headquarters
NTT DATA CORPORATION



Commits

  1. Make role grant system more consistent with other privileges.

  2. Ensure that pg_auth_members.grantor is always valid.

  3. Remove the ability of a role to administer itself.

  4. Add tests of the CREATEROLE attribute

  5. Replace explicit PIN entries in pg_depend with an OID range test.

  6. Shore up ADMIN OPTION restrictions.

  7. Add pg_has_role() family of privilege inquiry functions modeled after the

  8. Align GRANT/REVOKE behavior more closely with the SQL spec, per discussion