Re: Granting control of SUSET gucs to non-superusers - Mailing list pgsql-hackers

From Chapman Flack
Subject Re: Granting control of SUSET gucs to non-superusers
Date
Msg-id 608C9A81.3020006@anastigmatix.net
Whole thread Raw
In response to Granting control of SUSET gucs to non-superusers  (Mark Dilger <mark.dilger@enterprisedb.com>)
List pgsql-hackers
On 04/30/21 19:19, Mark Dilger wrote:

> We could certainly debate which GUCs could be used to escape the sandbox
> vs. which ones could not, but I would prefer a design that allows the
> provider to make that determination.

I find myself wondering how many GUCs flagged SUSET are not flagged that way
because of a determination already made that they could be used to escape.
(Maybe some of the logging ones, only usable to conceal your escape.)

But there might be ways for a provider, scrutinizing each of those
individually, to conclude "this will not allow escape from the sandbox
/I/ have set up, provided the value being set satisfies constraints
x and y" ... a generalization of the LOAD from $libdir/plugins idea.

So that suggests to me some mechanism where a provider could grant
setting foo to role bar using validator baz().

Can SUSET GUCs be set from SECURITY DEFINER functions? Maybe there are
already the pieces to do that, minus some syntax sugar.

Regards,
-Chap



pgsql-hackers by date:

Previous
From: Bingyu Shen
Date:
Subject: Log enhancement for aclcheck permissions failures
Next
From: Tom Lane
Date:
Subject: Re: Granting control of SUSET gucs to non-superusers