Postgres Pro
Downloads
Home   >   mailing lists

Re: Seeking practice recommendation: is there ever a use case to have two or more superusers? - Mailing list pgsql-general

From Peter J. Holzer
Subject Re: Seeking practice recommendation: is there ever a use case to have two or more superusers?
Date
Msg-id 20221118200835.sgva7b6wgg4w7py7@hjp.at
Whole thread Raw
In response to Seeking practice recommendation: is there ever a use case to have two or more superusers?  (Bryn Llewellyn <bryn@yugabyte.com>)
Responses Re: Seeking practice recommendation: is there ever a use case to have two or more superusers?  (Bryn Llewellyn <bryn@yugabyte.com>)
Re: Seeking practice recommendation: is there ever a use case to have two or more superusers?  (Mladen Gogala <gogala.mladen@gmail.com>)
List pgsql-general
Tree view 
On 2022-11-17 11:36:15 -0800, Bryn Llewellyn wrote:
> The detail below leads to a simply stated question:
>
> Given that the bootstrap superuser must exist, is there ever a reason to create
> another role with "superuser"?
>
> My intuition tells me that the answer is a resounding "No!".

Is there ever a reason? Yes. Does that reason apply to you? I don't know.
Maybe, maybe not.


> — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
> I wondered, at first, if it might be a good practice to create a
> second superuser, say "super" with "login", to alter the bootstrap
> superuser with "nologin", and then to use "super" on an "ordinary"
> daily basis for tasks that might need this. The thought was that this
> practice might protect the artifacts that the bootstrap superuser owns
> from damage. But this thought dissolved into thin air, before it was
> fully formed, on the realization that the unstoppable "super" could
> anyway do arbitrary damage to the bootstrap superuser's artifacts.

You could create additional superusers and restrict those to certain
databases and/or IP ranges. That probably won't stop an attacker (I can
think of at least one way to get around that and it's probably even
easier than I think) but it might prevent accidental damage.


> The implication is clear: you should allow a cluster to have just a single
> superuser, the inevitable bootstrap superuser, and you should think very
> carefully indeed before ever starting a session as this role because of the
> risks that doing so brings. Rather, you should realize that there are hardly
> any tasks that cannot be carried out by an appropriately configured role with
> "nosuperuser".

One important task that can AFAIK only be performed by superusers is the
creation of functions in untrusted languages like plpython3u and
plperlu.

If your application uses functions in those languages you need a
superuser to install or upgrade it.

        hp

--
   _  | Peter J. Holzer    | Story must make more sense than reality.
|_|_) |                    |
| |   | hjp@hjp.at         |    -- Charles Stross, "Creative writing
__/   | http://www.hjp.at/ |       challenge!"
Attachment

pgsql-general by date:

Previous
From: Nikhil Benesch
Date:
Subject: Appetite for `SELECT ... EXCLUDE`?
Next
From: Tom Lane
Date:
Subject: Re: Appetite for `SELECT ... EXCLUDE`?