Re: allowing privileges on untrusted languages - Mailing list pgsql-hackers

From Dimitri Fontaine
Subject Re: allowing privileges on untrusted languages
Date
Msg-id m2fw1tl7eq.fsf@2ndQuadrant.fr
Whole thread Raw
In response to Re: allowing privileges on untrusted languages  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
Tom Lane <tgl@sss.pgh.pa.us> writes:
> The traditional answer to that, which not only can be done already in
> all existing releases but is infinitely more flexible than any
> hard-wired scheme we could implement, is that you create superuser-owned
> security-definer functions that can execute any specific operation you
> want to allow, and then GRANT EXECUTE on those functions to just the
> people who should have it.

The next step after that might well be INSTEAD OF event triggers,
allowing users to reimplement some DDL in terms of themselves in PL
code, with the ALTER EVENT TRIGGER … DISABLE; trick to avoid recursion.

> I'm really entirely un-thrilled with a proposal to clutter the privilege
> system like this.  Admittedly, it might be a hair more secure than
> user-written plpgsql functions, which could perhaps be subverted if the
> author is careless.  But there are a hundred other places where we could
> more usefully spend our implementation and future-maintenance efforts
> than here.

My understanding is that the security minds are shifting towards
capabilities as the way to reduce maintenance efforts and security bug
fixes in the long run:
 http://www.erights.org/

Again, as I'm not into security that much, so I will refrain from
commenting any further.

Regards,
--
Dimitri Fontaine
http://2ndQuadrant.fr     PostgreSQL : Expertise, Formation et Support



pgsql-hackers by date:

Previous
From: Ashutosh Bapat
Date:
Subject: Re: pg_ctl idempotent option
Next
From: Pavan Deolasee
Date:
Subject: Re: CF3+4 (was Re: Parallel query execution)