Re: Non-superuser subscription owners
Robert Haas <robertmhaas@gmail.com>
From: Robert Haas <robertmhaas@gmail.com>
To: Stephen Frost <sfrost@snowman.net>
Cc: Jeff Davis <pgsql@j-davis.com>, Andres Freund <andres@anarazel.de>, Mark Dilger <mark.dilger@enterprisedb.com>,
Amit Kapila <amit.kapila16@gmail.com>, Andrew Dunstan <andrew@dunslane.net>,
PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2023-03-01T17:33:10Z
Lists: pgsql-hackers
On Wed, Mar 1, 2023 at 10:48 AM Stephen Frost <sfrost@snowman.net> wrote: > > Yeah, or any other expressions. Basically impose restrictions when the > > user running the code is not the same as the user who provided the > > code. > > Would this have carve-outs for things like "except if the user providing > the code is trusted/superuser"? Seems like that would be necessary for > the function to be able to do more-or-less anything, but then I worry > that there's superuser-owned code which could leak information or be > used by a malicious owner as that code would still be running as the > invoking user.. Perhaps we could say that the function also has to be > leakproof, but that isn't quite the same issue and therefore it seems > like we'd need to decorate all of the functions with another flag that's > allowed to be run in this manner. Yes, I think there can be carve-outs based on the relationship of the users involved -- if the user who provided the code is the superuser or some other user who can anyway run whatever they want as the user performing the operation, then there's no point in imposing any restrictions -- and I think there can also be some way of setting policy. I proposed a GUC in an earlier email, and you proposed one with somewhat different semantics in this email, and I'm not sure that either of those things in particular is right or that we ought to be using a GUC for this at all. However, there should almost certainly be SOME way for the superuser to turn any new restrictions off, and there should probably also be some way for an unprivileged user to say "you know, I am totally OK with running any code that alice provides -- just go with it." I don't think we're at a point where we can conclude on what those mechanisms should look like just yet, but I think that everyone who has spoken up agrees that they ought to exist, assuming we go in this direction at all. -- Robert Haas EDB: http://www.enterprisedb.com
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Fix possible crash in tablesync worker.
- b5c517379a40 16.0 landed
-
Display 'password_required' option for \dRs+ command.
- 19e65dff38bd 16.0 landed
-
Restart the apply worker if the 'password_required' option is changed.
- c1cc4e688b60 16.0 landed
-
Fix possible logical replication crash.
- e7e7da2f8d57 16.0 landed
-
Add new predefined role pg_create_subscription.
- c3afe8cf5a1e 16.0 landed
-
Expand AclMode to 64 bits
- 7b378237aa80 16.0 cited
-
More cleanup of a2ab9c06ea.
- 96a6f11c0625 15.0 landed
-
Respect permissions within logical replication.
- a2ab9c06ea15 15.0 landed
-
Improve table locking behavior in the face of current DDL.
- 2ad36c4e44c8 9.2.0 cited