Re: pgsql: Add new GUC createrole_self_grant. - Mailing list pgsql-hackers

From Robert Haas
Subject Re: pgsql: Add new GUC createrole_self_grant.
Date
Msg-id CA+TgmoY8XUmXrPJ-znBxn9p68aXokYrSKZToV5AJ7cseGVV-tA@mail.gmail.com
Whole thread Raw
In response to Re: pgsql: Add new GUC createrole_self_grant.  ("David G. Johnston" <david.g.johnston@gmail.com>)
List pgsql-hackers
On Mon, Jan 16, 2023 at 10:33 AM David G. Johnston
<david.g.johnston@gmail.com> wrote:
> I’m moving on as well.  Go with what you have.  I have my personal understanding clarified at this point.  If the
docsneed more work people will ask questions to help guide such work. 

Yeah, I hope so.

It's becoming increasingly clear to me that we haven't put enough
effort into clarifying what I will broadly call "trust issues" in the
documentation. It's bad if you call untrusted code that runs as you,
and it's bad if code that runs as you gets called by untrusted people
for whose antics you are not sufficiently prepared, and there are a
lot of ways those things things can happen: direction function calls,
operators, triggers, row-level security, views, index or materialized
view rebuilds, etc. I think it would be good to have a general
treatment of those issues in the documentation written by a
security-conscious hacker or hackers who are really familiar both with
the behavior of the system and also able to make the security
consequences understandable to people who are not so deeply invested
in PostgreSQL. I don't want to do that on this thread, but to the
extent that you're arguing that the current treatment is inadequate,
I'm fully in agreement with that.

--
Robert Haas
EDB: http://www.enterprisedb.com



pgsql-hackers by date:

Previous
From: Robert Haas
Date:
Subject: Re: allowing for control over SET ROLE
Next
From: Robert Haas
Date:
Subject: Re: Decoupling antiwraparound autovacuum from special rules around auto cancellation