Re: Non-superuser subscription owners
Stephen Frost <sfrost@snowman.net>
From: Stephen Frost <sfrost@snowman.net>
To: Jeff Davis <pgsql@j-davis.com>
Cc: Robert Haas <robertmhaas@gmail.com>, Andres Freund <andres@anarazel.de>, Mark Dilger <mark.dilger@enterprisedb.com>, Amit Kapila <amit.kapila16@gmail.com>, Andrew Dunstan <andrew@dunslane.net>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2023-02-28T02:31:47Z
Lists: pgsql-hackers
Greetings, * Jeff Davis (pgsql@j-davis.com) wrote: > On Mon, 2023-02-27 at 14:10 -0500, Stephen Frost wrote: > > I do think there are some use-cases for it, but agree that it'd be > > better to encourage more use of SECURITY DEFINER and one approach to > > that might be to have a way for users to explicitly say "don't run > > code > > that isn't mine or a superuser's with my privileges." > > I tried that: > > https://www.postgresql.org/message-id/75b0dbb55e9febea54c441efff8012a6d2cb5bd7.camel@j-davis.com > > but Andres pointed out some problems with my implementation. They > didn't seem easily fixable, but perhaps with more effort it could work > (run all the expressions as security definer, as well?). Presumably. Ultimately, I tend to agree it won't be easy. That doesn't mean it's not a worthwhile effort. > > Of course, we > > need to make sure it's possible to write safe SECURITY DEFINER > > functions > > and to be clear about how to do that to avoid the risk in the other > > direction. > > Agreed. Perhaps we can force search_path to be set for SECURITY > DEFINER, and require that the temp schema be explicitly included rather > than the current "must be at the end". We could also provide a way to > turn public access off in the same statement, so that you don't need to > use a transaction block to keep the function private. We do pretty strongly encourage a search_path setting for SECURITY DEFINER today.. That said, I'm not against pushing on that harder. The issue about temporary schemas is a more difficult issue... but frankly, I'd like an option to say "no temporary schemas should be allowed in my search path" when it comes to a security definer function. > > I don't think we'd be able to get away with just getting rid of > > SECURITY > > INVOKER entirely or even in changing the current way triggers (or > > functions in views, etc) are run by default. > > I didn't propose anything radical. I'm just trying to get some > agreement that SECURITY INVOKER is central to a lot of our security > woes, and that we should be treating it with skepticism on a > fundamental level. Sure, but if we want to make progress then we have to provide a direction for folks to go in that's both secure and convenient. > Individual proposals for how to get away from SECURITY INVOKER should > be evaluated on their merits (i.e. don't break a bunch of stuff). Of course. That said ... we don't want to spend a lot of time going in a direction that won't bear fruit; I'm hopeful that this direction will though. Thanks, Stephen
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Fix possible crash in tablesync worker.
- b5c517379a40 16.0 landed
-
Display 'password_required' option for \dRs+ command.
- 19e65dff38bd 16.0 landed
-
Restart the apply worker if the 'password_required' option is changed.
- c1cc4e688b60 16.0 landed
-
Fix possible logical replication crash.
- e7e7da2f8d57 16.0 landed
-
Add new predefined role pg_create_subscription.
- c3afe8cf5a1e 16.0 landed
-
Expand AclMode to 64 bits
- 7b378237aa80 16.0 cited
-
More cleanup of a2ab9c06ea.
- 96a6f11c0625 15.0 landed
-
Respect permissions within logical replication.
- a2ab9c06ea15 15.0 landed
-
Improve table locking behavior in the face of current DDL.
- 2ad36c4e44c8 9.2.0 cited