Thread: AW: "setuid" functions, a solution to the RI privilege problem

AW: "setuid" functions, a solution to the RI privilege problem

From
Zeugswetter Andreas SB
Date:
> (With 7.2 I plan to get rid of pg_shadow.usesysid and 
> identify users via
> pg_shadow.oid and the superuser oid will be hard-coded into
> include/catalog/pg_shadow.h, so at that point they will work.)

Imho it is fine to get rid of the usesysid in our internal authorization
system,
but we should not get rid of the only field that can tie a db user 
to an os user. Imho we should not do a "by name" lookup
and eliminate the field. The extra field adds additional flexibility,
like using one os user for many db users, or using different names 
for os users.

In the long run we will need a tie to os users for os level setuid user
functions.

Andreas


Re: AW: "setuid" functions, a solution to the RI privilege problem

From
Peter Eisentraut
Date:
Zeugswetter Andreas SB writes:

> Imho it is fine to get rid of the usesysid in our internal
> authorization system, but we should not get rid of the only field that
> can tie a db user to an os user. Imho we should not do a "by name"
> lookup and eliminate the field.

Um, well, the only possible way to determine the session user when the
backend starts is to use the textual user name provided by the
authentication subsystem.

> The extra field adds additional flexibility, like using one os user
> for many db users, or using different names for os users.

> In the long run we will need a tie to os users for os level setuid
> user functions.

But the pg_shadow authentication is based on credentials provided by the
client whereas what you propose here would run on the server, so this
doesn't make sense. When we get around to these setuid user functions
(while I have no idea how we would do so) we certainly need to have a
separate control mechanism.

-- 
Peter Eisentraut      peter_e@gmx.net       http://yi.org/peter-e/