Thread: pg_user "sealed"

pg_user "sealed"

From

The Hermit Hacker

Date:

23 February 1998, 17:29:00

Okay...

    I've modified initdb.sh so that ALL is revoked from pg_user, with
a view being created to look into it for usename and usesysid, which are
required by psql...

    This gets it so that psql works for \d

    I tried to do a rewrite rule on db_user such that password would
become '*********', but that does't appear to work?

    Reports of any problems associated with any of the pg_ system
tables, please let me know

Re: [HACKERS] pg_user "sealed"

From

jwieck@debis.com (Jan Wieck)

Date:

23 February 1998, 17:57:11

Marc wrote:
>
>
> Okay...
>
>    I've modified initdb.sh so that ALL is revoked from pg_user, with
> a view being created to look into it for usename and usesysid, which are
> required by psql...
>
>    This gets it so that psql works for \d
>
>    I tried to do a rewrite rule on db_user such that password would
> become '*********', but that does't appear to work?
>
>    Reports of any problems associated with any of the pg_ system
> tables, please let me know

    Since  you changed ACL_WORLD_DEFAULT to ACL_NO too, there are
    now problems on \d <table> (pg_attribute: Permission denied).
    And  thus  I expect more problems.  I think users should have
    SELECT permission on non-critical system catalogs by default.

    But  I  don't  think that setting explicit GRANT's on all the
    system catalogs is a good thing. Due to  the  ACL  parsing  I
    would expect some loss of performance.

    So   if   the   relname   is   given   to   acldefault()   in
    utils/adt/acl.c, it can do a IsSystemRelationName() on it and
    return ACL_RD instead of ACL_WORLD_DEFAULT.


Jan

--

#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me.                                  #
#======================================== jwieck@debis.com (Jan Wieck) #

Re: [HACKERS] pg_user "sealed"

From

The Hermit Hacker

Date:

23 February 1998, 18:01:13

On Mon, 23 Feb 1998, Jan Wieck wrote:

>
> Marc wrote:
> >
> >
> > Okay...
> >
> >    I've modified initdb.sh so that ALL is revoked from pg_user, with
> > a view being created to look into it for usename and usesysid, which are
> > required by psql...
> >
> >    This gets it so that psql works for \d
> >
> >    I tried to do a rewrite rule on db_user such that password would
> > become '*********', but that does't appear to work?
> >
> >    Reports of any problems associated with any of the pg_ system
> > tables, please let me know
>
>     Since  you changed ACL_WORLD_DEFAULT to ACL_NO too, there are
>     now problems on \d <table> (pg_attribute: Permission denied).
>     And  thus  I expect more problems.  I think users should have
>     SELECT permission on non-critical system catalogs by default.

    Okay, I've just been adding in appropriate 'GRANT SELECT's inside
of initdb.sh, for lack of a better idea...

>     But  I  don't  think that setting explicit GRANT's on all the
>     system catalogs is a good thing. Due to  the  ACL  parsing  I
>     would expect some loss of performance.
>
>     So   if   the   relname   is   given   to   acldefault()   in
>     utils/adt/acl.c, it can do a IsSystemRelationName() on it and
>     return ACL_RD instead of ACL_WORLD_DEFAULT.

    ...which this definitely sound like :)  Want to make the change
and send me a patch?

Re: [HACKERS] pg_user "sealed"

From

Bruce Momjian

Date:

23 February 1998, 18:16:37

>     Since  you changed ACL_WORLD_DEFAULT to ACL_NO too, there are
>     now problems on \d <table> (pg_attribute: Permission denied).
>     And  thus  I expect more problems.  I think users should have
>     SELECT permission on non-critical system catalogs by default.
>
>     But  I  don't  think that setting explicit GRANT's on all the
>     system catalogs is a good thing. Due to  the  ACL  parsing  I
>     would expect some loss of performance.
>
>     So   if   the   relname   is   given   to   acldefault()   in
>     utils/adt/acl.c, it can do a IsSystemRelationName() on it and
>     return ACL_RD instead of ACL_WORLD_DEFAULT.

Nice solution.

--
Bruce Momjian                          |  830 Blythe Avenue
maillist@candle.pha.pa.us              |  Drexel Hill, Pennsylvania 19026
  +  If your life is a hard drive,     |  (610) 353-9879(w)
  +  Christ can be your backup.        |  (610) 853-3000(h)

Re: [HACKERS] pg_user "sealed"

From

jwieck@debis.com (Jan Wieck)

Date:

23 February 1998, 19:57:12

So here it is,

> >     So   if   the   relname   is   given   to   acldefault()   in
> >     utils/adt/acl.c, it can do a IsSystemRelationName() on it and
> >     return ACL_RD instead of ACL_WORLD_DEFAULT.
>
> Nice solution.

    There  might  only  be one problem left. The acl items output
    regproc too sets up a default entry  and  uses  this  if  the
    passed  in  aip  is  NULL. For types output regproc we cannot
    pass in the relation name because this  call  happens  trough
    the fmgr from somewhere else. I don't know if this could ever
    happen since the system would never produce an empty acl from
    inside  or  by the aclparse() input function. Might be a good
    thing to change aclitemout() for now to throw  an  elog()  if
    aip is NULL and look if this ever happens.


Jan

--

#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me.                                  #
#======================================== jwieck@debis.com (Jan Wieck) #


diff -c -r /usr/local/pgsql/sup/pgsql/src/backend/catalog/aclchk.c ./backend/catalog/aclchk.c
*** /usr/local/pgsql/sup/pgsql/src/backend/catalog/aclchk.c    Thu Feb 12 14:35:47 1998
--- ./backend/catalog/aclchk.c    Mon Feb 23 22:27:24 1998
***************
*** 39,45 ****
  #include "utils/tqual.h"
  #include "fmgr.h"

! static int32 aclcheck(Acl *acl, AclId id, AclIdType idtype, AclMode mode);

  /*
   * Enable use of user relations in place of real system catalogs.
--- 39,45 ----
  #include "utils/tqual.h"
  #include "fmgr.h"

! static int32 aclcheck(char *relname, Acl *acl, AclId id, AclIdType idtype, AclMode mode);

  /*
   * Enable use of user relations in place of real system catalogs.
***************
*** 150,156 ****
          elog(DEBUG, "ChangeAcl: using default ACL");
  #endif
  /*        old_acl = acldefault(((Form_pg_class) GETSTRUCT(htp))->relowner); */
!         old_acl = acldefault();
          free_old_acl = 1;
      }

--- 150,156 ----
          elog(DEBUG, "ChangeAcl: using default ACL");
  #endif
  /*        old_acl = acldefault(((Form_pg_class) GETSTRUCT(htp))->relowner); */
!         old_acl = acldefault(relname);
          free_old_acl = 1;
      }

***************
*** 281,287 ****
   * any one of the requirements of 'mode'.  Returns 0 otherwise.
   */
  static int32
! aclcheck(Acl *acl, AclId id, AclIdType idtype, AclMode mode)
  {
      unsigned i;
      AclItem *aip,
--- 281,287 ----
   * any one of the requirements of 'mode'.  Returns 0 otherwise.
   */
  static int32
! aclcheck(char *relname, Acl *acl, AclId id, AclIdType idtype, AclMode mode)
  {
      unsigned i;
      AclItem *aip,
***************
*** 292,298 ****
      /* if no acl is found, use world default */
      if (!acl)
      {
!         acl = acldefault();
      }

      num = ACL_NUM(acl);
--- 292,298 ----
      /* if no acl is found, use world default */
      if (!acl)
      {
!         acl = acldefault(relname);
      }

      num = ACL_NUM(acl);
***************
*** 475,481 ****
                                       Anum_pg_class_relowner,
                                       RelationGetTupleDescriptor(relation),
                                       (bool *) NULL);
!         acl = aclownerdefault(ownerId);
      }
  #else
      {                            /* This is why the syscache is great... */
--- 475,481 ----
                                       Anum_pg_class_relowner,
                                       RelationGetTupleDescriptor(relation),
                                       (bool *) NULL);
!         acl = aclownerdefault(relname, ownerId);
      }
  #else
      {                            /* This is why the syscache is great... */
***************
*** 511,517 ****
          heap_close(relation);
      }
  #endif
!     result = aclcheck(acl, id, (AclIdType) ACL_IDTYPE_UID, mode);
      if (acl)
          pfree(acl);
      return (result);
--- 511,517 ----
          heap_close(relation);
      }
  #endif
!     result = aclcheck(relname, acl, id, (AclIdType) ACL_IDTYPE_UID, mode);
      if (acl)
          pfree(acl);
      return (result);
diff -c -r /usr/local/pgsql/sup/pgsql/src/backend/utils/adt/acl.c ./backend/utils/adt/acl.c
*** /usr/local/pgsql/sup/pgsql/src/backend/utils/adt/acl.c    Thu Feb 12 14:36:19 1998
--- ./backend/utils/adt/acl.c    Mon Feb 23 22:32:56 1998
***************
*** 18,23 ****
--- 18,24 ----
  #include <utils/memutils.h>
  #include "utils/acl.h"
  #include "utils/syscache.h"
+ #include "catalog/catalog.h"
  #include "catalog/pg_user.h"
  #include "miscadmin.h"

***************
*** 342,348 ****
  }

  Acl           *
! aclownerdefault(AclId ownerid)
  {
      Acl           *acl;
      AclItem    *aip;
--- 343,349 ----
  }

  Acl           *
! aclownerdefault(char *relname, AclId ownerid)
  {
      Acl           *acl;
      AclItem    *aip;
***************
*** 351,357 ****
      aip = ACL_DAT(acl);
      aip[0].ai_idtype = ACL_IDTYPE_WORLD;
      aip[0].ai_id = ACL_ID_WORLD;
!     aip[0].ai_mode = ACL_WORLD_DEFAULT;
      aip[1].ai_idtype = ACL_IDTYPE_UID;
      aip[1].ai_id = ownerid;
      aip[1].ai_mode = ACL_OWNER_DEFAULT;
--- 352,358 ----
      aip = ACL_DAT(acl);
      aip[0].ai_idtype = ACL_IDTYPE_WORLD;
      aip[0].ai_id = ACL_ID_WORLD;
!     aip[0].ai_mode = IsSystemRelationName(relname) ? ACL_RD : ACL_WORLD_DEFAULT;
      aip[1].ai_idtype = ACL_IDTYPE_UID;
      aip[1].ai_id = ownerid;
      aip[1].ai_mode = ACL_OWNER_DEFAULT;
***************
*** 359,365 ****
  }

  Acl           *
! acldefault(void)
  {
      Acl           *acl;
      AclItem    *aip;
--- 360,366 ----
  }

  Acl           *
! acldefault(char *relname)
  {
      Acl           *acl;
      AclItem    *aip;
***************
*** 368,374 ****
      aip = ACL_DAT(acl);
      aip[0].ai_idtype = ACL_IDTYPE_WORLD;
      aip[0].ai_id = ACL_ID_WORLD;
!     aip[0].ai_mode = ACL_WORLD_DEFAULT;
      return (acl);
  }

--- 369,375 ----
      aip = ACL_DAT(acl);
      aip[0].ai_idtype = ACL_IDTYPE_WORLD;
      aip[0].ai_id = ACL_ID_WORLD;
!     aip[0].ai_mode = IsSystemRelationName(relname) ? ACL_RD : ACL_WORLD_DEFAULT;
      return (acl);
  }

diff -c -r /usr/local/pgsql/sup/pgsql/src/include/utils/acl.h ./include/utils/acl.h
*** /usr/local/pgsql/sup/pgsql/src/include/utils/acl.h    Mon Feb 23 20:42:08 1998
--- ./include/utils/acl.h    Mon Feb 23 22:25:47 1998
***************
*** 135,142 ****
  /*
   * routines used internally (parser, etc.)
   */
! extern Acl *aclownerdefault(AclId ownerid);
! extern Acl *acldefault(void);
  extern Acl *aclinsert3(Acl *old_acl, AclItem *mod_aip, unsigned modechg);

  extern char *aclmakepriv(char *old_privlist, char new_priv);
--- 135,142 ----
  /*
   * routines used internally (parser, etc.)
   */
! extern Acl *aclownerdefault(char *relname, AclId ownerid);
! extern Acl *acldefault(char *relname);
  extern Acl *aclinsert3(Acl *old_acl, AclItem *mod_aip, unsigned modechg);

  extern char *aclmakepriv(char *old_privlist, char new_priv);