Thread: Re: [HACKERS] Postgres acl (fwd)

Re: [HACKERS] Postgres acl (fwd)

From
darrenk@insightdist.com (Darren King)
Date:
> > > > Can someone who has permission to create databases be trusted not to
> > > > delete others?  If we say no, how do we make sure they can change
> > > > pg_database rows on only databases that they own?
> > >
> > >     deleting a database is accomplished using 'drop database', no?
> > > Can the code for that not be modified to see whether the person dropping
> > > the database is the person that owns it *or* pgsuperuser?
> >
> > It already does the check, but issues an SQL from the C code to delete
> > from pg_database.  I believe any user who can create a database can
> > issue the same SQL command from psql, bypassing the drop database
> > checks, no?
>
>     Okay, I understand what you mean here...so I guess the next
> question is should system tables be directly modifyable by non-superuser?
>
>     For instance, we have a 'drop database' SQL command...can we
> restrict 'delete from pg_database' to just superuser, while leaving 'drop
> database' open to those with createdb privileges?  Same with 'create
> user', and, possible, a 'create group' command instead of 'insert into
> pg_group'?

IMHO, the system tables should _never_ be directly modifiable by anyone
other than the superuser/dba.  The rest of the population should have to
use a command of some sort that can be grant/revoked by said superuser/dba.

darrenk

Re: [HACKERS] Postgres acl (fwd)

From
"Thomas G. Lockhart"
Date:
> > > > > Can someone who has permission to create databases be trusted not to
> > > > > delete others?  If we say no, how do we make sure they can change
> > > > > pg_database rows on only databases that they own?
> > > >
> > > >   deleting a database is accomplished using 'drop database', no?
> > > > Can the code for that not be modified to see whether the person dropping
> > > > the database is the person that owns it *or* pgsuperuser?
> > >
> > > It already does the check, but issues an SQL from the C code to delete
> > > from pg_database.  I believe any user who can create a database can
> > > issue the same SQL command from psql, bypassing the drop database
> > > checks, no?
> >
> >       Okay, I understand what you mean here...so I guess the next
> > question is should system tables be directly modifyable by non-superuser?
> >
> >       For instance, we have a 'drop database' SQL command...can we
> > restrict 'delete from pg_database' to just superuser, while leaving 'drop
> > database' open to those with createdb privileges?  Same with 'create
> > user', and, possible, a 'create group' command instead of 'insert into
> > pg_group'?
>
> IMHO, the system tables should _never_ be directly modifiable by anyone
> other than the superuser/dba.  The rest of the population should have to
> use a command of some sort that can be grant/revoked by said superuser/dba.

Are there any maintenance operations which require a "delete from pg_xxx"? If
not, then we could just modify the parser (or the executor?) to check the table
name and not allow insert/delete from any table whose name starts with "pg_". Had
to ask, although I'm sure this is too easy to actually work :)

                                            - Tom


Re: [HACKERS] Postgres acl (fwd)

From
The Hermit Hacker
Date:
On Wed, 7 Jan 1998, Thomas G. Lockhart wrote:

> Are there any maintenance operations which require a "delete from pg_xxx"? If
> not, then we could just modify the parser (or the executor?) to check the table
> name and not allow insert/delete from any table whose name starts with "pg_". Had
> to ask, although I'm sure this is too easy to actually work :)

    As long as what you are suggesting doesn't break "drop database", "drop
table", "drop view"...I realize that this is obvious, but...

Marc G. Fournier
Systems Administrator @ hub.org
primary: scrappy@hub.org           secondary: scrappy@{freebsd|postgresql}.org


Re: [HACKERS] Postgres acl (fwd)

From
Bruce Momjian
Date:
> >
> > IMHO, the system tables should _never_ be directly modifiable by anyone
> > other than the superuser/dba.  The rest of the population should have to
> > use a command of some sort that can be grant/revoked by said superuser/dba.
>
> Are there any maintenance operations which require a "delete from pg_xxx"? If
> not, then we could just modify the parser (or the executor?) to check the table
> name and not allow insert/delete from any table whose name starts with "pg_". Had
> to ask, although I'm sure this is too easy to actually work :)

Interesting thought.  Wonder if it would work?

--
Bruce Momjian
maillist@candle.pha.pa.us

Re: [HACKERS] Postgres acl (fwd)

From
Bruce Momjian
Date:
>
> On Wed, 7 Jan 1998, Thomas G. Lockhart wrote:
>
> > Are there any maintenance operations which require a "delete from pg_xxx"? If
> > not, then we could just modify the parser (or the executor?) to check the table
> > name and not allow insert/delete from any table whose name starts with "pg_". Had
> > to ask, although I'm sure this is too easy to actually work :)
>
>     As long as what you are suggesting doesn't break "drop database", "drop
> table", "drop view"...I realize that this is obvious, but...

Good point.  Yes it does.  dbcommands.c and user.c both do direct calls
to pg_exec to pass everything into the parser, optimizer, and executor.

The real fix is to do things like copy.c does, by directly calling the C
routines and making the desired changes there.  Or to have some global
flag that says "Backend performed the rights test, let this SQL
succeed."  That may be cleaner.  Table access rights are tested in just
one function, I think.

We still have the pg_user.passwd problem, and pg_user is not readable by
general users.  I can't think of a fix for this.

--
Bruce Momjian
maillist@candle.pha.pa.us