Re: For review: Server instrumentation patch - Mailing list pgsql-hackers

From Stephen Frost
Subject Re: For review: Server instrumentation patch
Date
Msg-id 20050724203317.GY24207@ns.snowman.net
Whole thread Raw
In response to Re: For review: Server instrumentation patch  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> I'm going to repeat my firm opposition to this patch.  Under the
> innocuous-sounding banner of "server instrumentation", you are once
> again trying to put in generic file access capabilities that will allow
> remote Postgres superusers full access to the server filesystem.
>
> The potential security risks of this are obvious to anyone.  The only
> justification that has been offered is "this will make remote
> administration easier".  Well, yeah, but it will make remote breakins
> easier too.  Valuing ease of use over security is the philosophy that
> got Microsoft into the mess they're in now --- do we want to follow
> that precedent?

I'm not exactly convinced this *actually* provides superusers any more
permissions than they already have.  As someone else has pointed out,
there's COPY, and I'd think the whole can-dynamically-load-.so's would
trump any claims that you can give someone remote postgres superuser
'safely' (ie: and think it prevents them from being able to do things as
the postgres account on the system).

Indeed, I'd tend to think that's just about *exactly* what giving
someone postgres superuser access means- full access to the system as
that unix account.

> The use-case for this seems to be to substitute for having local login
> privileges on the server machine.  Well, if the sysadmins of that
> machine refuse to give you manual login privileges, they probably have
> good reasons for it, and will not be very happy to see an end-run around
> their restriction in the form of the database giving you remote
> filesystem access.

Those admins should probably be educated that giving someone postgres
superuser is pretty much giving them local access as the user postgres
runs as.  I don't believe it'd be appropriate to try and claim anything
else...

> I would have no problem with this patch as an optional add-on (eg, a
> contrib module), so that individual installations could decide whether
> they want to take the incremental security risk.  In that form it's
> basically equivalent to deciding you want to install an untrusted
> PL language.  We don't install those by default and we shouldn't install
> generic filesystem access by default either.

Given the somewhat lacking use-case (Working through postgres isn't
exactly the way *I'd* tend to mess with the filesystem directly, so this
seems like a pretty poor use-case to me) I'd agree that it'd be more
appropriate as a contrib module, but let's not confuse that with
security concerns.

> If we accept this patch I foresee security-conscious admins starting to
> question whether they should allow Postgres to be installed at all on
> their systems.  We don't need that kind of impediment to acceptance.

I doubt this as I expect security-conscious admins will understand what
being able to dynamically load a .so means, and will be aware of such
things as COPY.  As such, I'd tend to think security-conscious admins
would deny remote superuser access anyway...
Stephen

pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: For review: Server instrumentation patch
Next
From: "Magnus Hagander"
Date:
Subject: Re: For review: Server instrumentation patch