Re: pg_parameter_aclcheck() and trusted extensions - Mailing list pgsql-hackers

From Tom Lane
Subject Re: pg_parameter_aclcheck() and trusted extensions
Date
Msg-id 1356977.1658262428@sss.pgh.pa.us
Whole thread Raw
In response to Re: pg_parameter_aclcheck() and trusted extensions  (Nathan Bossart <nathandbossart@gmail.com>)
Responses Re: pg_parameter_aclcheck() and trusted extensions
List pgsql-hackers
Nathan Bossart <nathandbossart@gmail.com> writes:
>> I think this is because GUCArrayReset() is the only caller of
>> validate_option_array_item() that sets skipIfNoPermissions to true.  The
>> others fall through to set_config_option(), which does a
>> pg_parameter_aclcheck().  So, you are right.

> Here's a small patch that seems to fix this case.

Yeah, this is more or less what I was thinking of.

> However, I wonder if a
> better way to fix this is to provide a way to stop set_config_option() from
> throwing errors (e.g., setting elevel to -1).  That way, we could remove
> the manual permissions checks in favor of always using the real ones, which
> might help prevent similar bugs in the future.

I thought about that for a bit.  You could almost do it today if you
passed elevel == DEBUG5; the ensuing log chatter for failures would be
down in the noise compared to everything else you would see with
min_messages cranked down that far.  However,

(1) As things stand, set_config_option()'s result does not distinguish
no-permissions failures from other problems, so we'd need some rejiggering
of its API anyway.

(2) As you mused upthread, it's possible that ACL_SET isn't what we should
be checking here, but some more-specific privilege.  So I'd just as soon
keep this privilege check separate from set_config_option's.

I'll push ahead with fixing it like this.

            regards, tom lane



pgsql-hackers by date:

Previous
From: Martin Kalcher
Date:
Subject: Re: [PATCH] Introduce array_shuffle() and array_sample()
Next
From: Bruce Momjian
Date:
Subject: Re: First draft of the PG 15 release notes