Re: let's disallow ALTER ROLE bootstrap_superuser NOSUPERUSER - Mailing list pgsql-hackers

From Tom Lane
Subject Re: let's disallow ALTER ROLE bootstrap_superuser NOSUPERUSER
Date
Msg-id 39752.1658420887@sss.pgh.pa.us
Whole thread Raw
In response to let's disallow ALTER ROLE bootstrap_superuser NOSUPERUSER  (Robert Haas <robertmhaas@gmail.com>)
Responses Re: let's disallow ALTER ROLE bootstrap_superuser NOSUPERUSER
Re: let's disallow ALTER ROLE bootstrap_superuser NOSUPERUSER
List pgsql-hackers
Robert Haas <robertmhaas@gmail.com> writes:
> Currently, it's possible to remove the rolissuper bit from the
> bootstrap superuser, but this leaves that user - and the system in
> general - in an odd state. The bootstrap user continues to own all of
> the objects it owned before, e.g. all of the system catalogs. Direct
> DML on system catalogs is blocked by pg_class_aclmask_ext(), but it's
> possible to do things like rename a system function out of the way and
> create a new function with the same signature. Therefore, creating a
> new superuser and making the original one a non-superuser is probably
> not viable from a security perspective, because anyone who gained
> access to that role would likely have little difficulty mounting a
> Trojan horse attack against the current superusers.

True, but what if the idea is to have *no* superusers?  I seem
to recall people being interested in setups like that.

On the whole I don't have any objection to your proposal, I just
worry that somebody else will.

Of course there's always "UPDATE pg_authid SET rolsuper = false",
which makes it absolutely clear that you're breaking the glass cover.

            regards, tom lane



pgsql-hackers by date:

Previous
From: Sergey Dudoladov
Date:
Subject: Re: Add connection active, idle time to pg_stat_activity
Next
From: "David G. Johnston"
Date:
Subject: Re: let's disallow ALTER ROLE bootstrap_superuser NOSUPERUSER