Re: More network functions... - Mailing list pgsql-patches

From Bruce Momjian
Subject Re: More network functions...
Date
Msg-id 200405261835.i4QIZ9518577@candle.pha.pa.us
Whole thread Raw
In response to Re: More network functions...  (Sean Chittenden <sean@chittenden.org>)
List pgsql-patches
Patch applied.  Thanks.

---------------------------------------------------------------------------


Sean Chittenden wrote:
> >> *) inet_(client|server)_(addr|port)() and necessary documentation for
> >> the four functions.
> >> *) area(PATH) and documentation.
> >> *) Checks for TEMP privs when creating objects in the temp schema
> >> (checks for any object created in a temp namespace).
> >> *) With the above change, current_user is now being used to check if
> >> CREATE TEMP TABLE should succeed.
> >> [ and it gets weirder from there ]
> >
> > Er, what?
> >
> > Could we possibly have this separated into multiple patches with some
> > coherent purpose to each?
>
> Sure.
>
> patch-network.txt contains the following bits:
>
> *) inet_(client|server)_(addr|port)() and necessary documentation for
> the four functions.
>
>
> > Also, please justify the temp-related changes.  I was not aware that we
> > had any breakage there.
>
> patch-tmp-schema.txt contains the following bits:
>
> *) Changes pg_namespace_aclmask() so that the superuser is always able
> to create objects in the temp namespace.
> *) Changes pg_namespace_aclmask() so that if this is a temp namespace,
> objects are only allowed to be created in the temp namespace if the
> user has TEMP privs on the database.  This encompasses all object
> creation, not just TEMP tables.
> *) InitTempTableNamespace() checks to see if the current user, not the
> session user, has access to create a temp namespace.
>
> The first two changes are necessary to support the third change.  Now
> it's possible to revoke all temp table privs from non-super users and
> limiting all creation of temp tables/schemas via a function that's
> executed with elevated privs (security definer).  Before this change,
> it was not possible to have a setuid function to create a temp
> table/schema if the session user had no TEMP privs.
>
> Originally you'd brought up some concerns about security problems, but
> this patch I believe addresses all of your prior concerns.
>
>
> patch-area-path.txt contains:
>
> *) Can now determine the area of a closed path.
>
>
> patch-dfmgr.txt contains:
>
> *) Small tweak to add the library path that's being expanded.
>
> I was using $lib/foo.so and couldn't easily figure out what the error
> message, "invalid macro name in dynamic library path" meant without
> looking through the source code.  With the path in there, at least I
> know where to start looking in my config file.
>
>
> -sc
>

[ Attachment, skipping... ]

[ Attachment, skipping... ]

[ Attachment, skipping... ]

[ Attachment, skipping... ]

[ Attachment, skipping... ]

>
>
> --
> Sean Chittenden

>
> ---------------------------(end of broadcast)---------------------------
> TIP 8: explain analyze is your friend

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

pgsql-patches by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: Bug in CVS pg_dump against 7.0.x
Next
From: Bruce Momjian
Date:
Subject: Re: [HACKERS] pg_autovacuum fixes