Home > mailing lists

Re: let's disallow ALTER ROLE bootstrap_superuser NOSUPERUSER - Mailing list pgsql-hackers

From	Nathan Bossart
Subject	Re: let's disallow ALTER ROLE bootstrap_superuser NOSUPERUSER
Date	July 21, 2022 20:27:26
Msg-id	20220721172726.GA3779763@nathanxps13 Whole thread Raw
In response to	Re: let's disallow ALTER ROLE bootstrap_superuser NOSUPERUSER (Tom Lane <tgl@sss.pgh.pa.us>)
Responses	Re: let's disallow ALTER ROLE bootstrap_superuser NOSUPERUSER
List	pgsql-hackers

Tree view

On Thu, Jul 21, 2022 at 01:02:50PM -0400, Tom Lane wrote:
> Robert Haas <robertmhaas@gmail.com> writes:
>> ... if
>> we want to regard no-superusers as a supported configuration, we
>> probably need to tighten that up. I think it's kind of hopeless,
> 
> Yeah, I agree.  At least, I'm uninterested in spending any of my
> own time trying to make that usefully-more-secure than it is today.
> If somebody else is interested enough to do the legwork, we can
> look at what they come up with.

Given the current assumptions the code makes about the bootstrap superuser,
I think it makes sense to disallow removing its superuser attribute (at
least via ALTER ROLE NOSUPERUSER).  It seems like there is much work to do
before a no-superuser configuration could be formally supported.  If/when
such support materializes, it might be possible to remove the restriction
that Robert is proposing.

-- 
Nathan Bossart
Amazon Web Services: https://aws.amazon.com

pgsql-hackers by date:

From: Alvaro Herrera
Date: 21 July 2022, 20:12:35
Subject: Re: PG 15 (and to a smaller degree 14) regression due to ExprEvalStep size

From: Martin Kalcher
Date: 21 July 2022, 20:29:12
Subject: Re: [PATCH] Introduce array_shuffle() and array_sample()

Re: let's disallow ALTER ROLE bootstrap_superuser NOSUPERUSER - Mailing list pgsql-hackers

Previous

Next