Re: let's disallow ALTER ROLE bootstrap_superuser NOSUPERUSER - Mailing list pgsql-hackers

From David G. Johnston
Subject Re: let's disallow ALTER ROLE bootstrap_superuser NOSUPERUSER
Date
Msg-id CAKFQuwaRPMs_5N5OAuwREZv4ozictAaiSZ52zK8pKBOGN1tAWQ@mail.gmail.com
Whole thread Raw
In response to Re: let's disallow ALTER ROLE bootstrap_superuser NOSUPERUSER  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: let's disallow ALTER ROLE bootstrap_superuser NOSUPERUSER
List pgsql-hackers
On Thu, Jul 21, 2022 at 9:28 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
Robert Haas <robertmhaas@gmail.com> writes:
> Currently, it's possible to remove the rolissuper bit from the
> bootstrap superuser, but this leaves that user - and the system in
> general - in an odd state. The bootstrap user continues to own all of
> the objects it owned before, e.g. all of the system catalogs. Direct
> DML on system catalogs is blocked by pg_class_aclmask_ext(), but it's
> possible to do things like rename a system function out of the way and
> create a new function with the same signature. Therefore, creating a
> new superuser and making the original one a non-superuser is probably
> not viable from a security perspective, because anyone who gained
> access to that role would likely have little difficulty mounting a
> Trojan horse attack against the current superusers.

True, but what if the idea is to have *no* superusers?  I seem
to recall people being interested in setups like that.
 
On the whole I don't have any objection to your proposal, I just
worry that somebody else will.

Of course there's always "UPDATE pg_authid SET rolsuper = false",
which makes it absolutely clear that you're breaking the glass cover.


I would expect an initdb option (once this is possible) to specify this desire and we just never set one up in the first place.  It seems impractical to remove one after it already exists.  Though we could enable the option (or a function) tied to the specific predefined role that, say, permits catalog changes, when that day comes.

David J.

pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: let's disallow ALTER ROLE bootstrap_superuser NOSUPERUSER
Next
From: Tom Lane
Date:
Subject: Re: let's disallow ALTER ROLE bootstrap_superuser NOSUPERUSER