Re: More network functions... - Mailing list pgsql-patches
From | Bruce Momjian |
---|---|
Subject | Re: More network functions... |
Date | |
Msg-id | 200405261835.i4QIZ9518577@candle.pha.pa.us Whole thread Raw |
In response to | Re: More network functions... (Sean Chittenden <sean@chittenden.org>) |
List | pgsql-patches |
Patch applied. Thanks. --------------------------------------------------------------------------- Sean Chittenden wrote: > >> *) inet_(client|server)_(addr|port)() and necessary documentation for > >> the four functions. > >> *) area(PATH) and documentation. > >> *) Checks for TEMP privs when creating objects in the temp schema > >> (checks for any object created in a temp namespace). > >> *) With the above change, current_user is now being used to check if > >> CREATE TEMP TABLE should succeed. > >> [ and it gets weirder from there ] > > > > Er, what? > > > > Could we possibly have this separated into multiple patches with some > > coherent purpose to each? > > Sure. > > patch-network.txt contains the following bits: > > *) inet_(client|server)_(addr|port)() and necessary documentation for > the four functions. > > > > Also, please justify the temp-related changes. I was not aware that we > > had any breakage there. > > patch-tmp-schema.txt contains the following bits: > > *) Changes pg_namespace_aclmask() so that the superuser is always able > to create objects in the temp namespace. > *) Changes pg_namespace_aclmask() so that if this is a temp namespace, > objects are only allowed to be created in the temp namespace if the > user has TEMP privs on the database. This encompasses all object > creation, not just TEMP tables. > *) InitTempTableNamespace() checks to see if the current user, not the > session user, has access to create a temp namespace. > > The first two changes are necessary to support the third change. Now > it's possible to revoke all temp table privs from non-super users and > limiting all creation of temp tables/schemas via a function that's > executed with elevated privs (security definer). Before this change, > it was not possible to have a setuid function to create a temp > table/schema if the session user had no TEMP privs. > > Originally you'd brought up some concerns about security problems, but > this patch I believe addresses all of your prior concerns. > > > patch-area-path.txt contains: > > *) Can now determine the area of a closed path. > > > patch-dfmgr.txt contains: > > *) Small tweak to add the library path that's being expanded. > > I was using $lib/foo.so and couldn't easily figure out what the error > message, "invalid macro name in dynamic library path" meant without > looking through the source code. With the path in there, at least I > know where to start looking in my config file. > > > -sc > [ Attachment, skipping... ] [ Attachment, skipping... ] [ Attachment, skipping... ] [ Attachment, skipping... ] [ Attachment, skipping... ] > > > -- > Sean Chittenden > > ---------------------------(end of broadcast)--------------------------- > TIP 8: explain analyze is your friend -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
pgsql-patches by date: