Re: fixing CREATEROLE
Joe Conway <mail@joeconway.com>
From: Joe Conway <mail@joeconway.com>
To: Robert Haas <robertmhaas@gmail.com>,
"pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2022-11-22T16:40:17Z
Lists: pgsql-hackers
On 11/21/22 15:39, Robert Haas wrote: > I'm curious to hear what other people think of these proposals, but > let me first say what I think about them. First, I think it's clear > that we need to do something, because things right now are pretty > badly broken and in a way that affects security. Although these > patches are not back-patchable, they at least promise to improve > things as older versions go out of use. +1 > Second, it's possible that we should look for back-patchable fixes > here, but I can't really see that we're going to come up with > anything much better than just telling people not to use this feature > against older releases, because back-patching catalog changes or > dramatic behavior changes seems like a non-starter. In other words, I > think this is going to be a master-only fix. Yep, seems highly likely > Third, someone could well have a better or just different idea how to > fix the problems in this area than what I'm proposing here. This is > the best that I've been able to come up with so far, but that's not > to say it's free of problems or that no improvements are possible. On quick inspection I like what you have proposed and no significantly "better" ideas jump to mind. I will try to think on it though. > Finally, I think that whatever we do about the code, the documentation > needs quite a bit of work, because the code is doing a lot of stuff > that is security-critical and entirely non-obvious from the > documentation. I have not in this version of these patches included > any documentation changes and the regression test changes that I have > included are quite minimal. That all needs to be fixed up before there > could be any thought of moving forward with these patches. However, I > thought it best to get rough patches and an outline of the proposed > direction on the table first, before doing a lot of work refining > things. I have looked at, and even done some doc improvements in this area in the past, and concluded that it is simply hard to describe it in a clear, straightforward way. There are multiple competing concepts (privs on objects, attributes of roles, membership, when things are inherited versus not, settings bound to roles, etc). I don't know what to do about it, but yeah, fixing the documentation would be a noble goal. -- Joe Conway PostgreSQL Contributors Team RDS Open Source Databases Amazon Web Services: https://aws.amazon.com
Commits
-
Add new GUC createrole_self_grant.
- e5b8a4c098ad 16.0 landed
-
Restrict the privileges of CREATEROLE users.
- cf5eb37c5ee0 16.0 landed
-
Pass down current user ID to AddRoleMems and DelRoleMems.
- 39cffe95f2c5 16.0 landed
-
Refactor permissions-checking for role grants.
- 25bb03166b16 16.0 landed
-
Improve documentation of the CREATEROLE attibute.
- 0b496bc9881f 11.19 landed
- 1a5ff7be2696 12.14 landed
- 5dac191edf18 13.10 landed
- 1c77873727df 16.0 landed
- 5136c3fb575b 14.7 landed
- aa26980ca081 15.2 landed
-
Make role grant system more consistent with other privileges.
- ce6b672e4455 16.0 cited