Thread: PG13 Trusted Extension usability issue

PG13 Trusted Extension usability issue

From
"Brad Nicholson"
Date:

First, as a long time user of the pgextwlist extension, I'm happy to see this functionality appearing in core. However, as a long term user of that extension, I can say that ability to create an extension as a non-super user is pretty limited in itself in a lot of cases. Many extensions both in contrib and external ones (like PostGIS for example) don't give appropriate permissions to actually use the extension.

Taking postgresql_fdw as an example.

I modify the control file to allow it to be trusted (I'd suggest how to do this be documented as well)

cat /usr/pgsql-13/share/extension/postgres_fdw.control
# postgres_fdw extension
comment = 'foreign-data wrapper for remote PostgreSQL servers'
default_version = '1.0'
module_pathname = '$libdir/postgres_fdw'
relocatable = true
trusted = true

My current, non-super user:

\du admin
List of roles
Role name | Attributes | Member of
-----------+------------------------+-----------
admin | Create role, Create DB | {}


Create the extension:
test2=> create extension postgres_fdw ;
CREATE EXTENSION

Actually try and use it:

test2=> CREATE SERVER foreign_server
FOREIGN DATA WRAPPER postgres_fdw
OPTIONS (host '192.83.123.89', port '5432', dbname 'foreign_db');
ERROR: permission denied for foreign-data wrapper postgres_fdw


To make it work, you need a superuser to run GRANT usage ... on the foreign data wrapper to the user that creates it. And while a superuser can apply the needed grants, it's an awkard feature to allow a non-superuser to create an extension, then require a superuser to grant things to allow it to actually be used.

There are lots of other cases of such behavior. pg_stats_statements_reset() for example. Big external extensions like PostGIS also suffer from permissions issues.

Brad.

Re: PG13 Trusted Extension usability issue

From
Tom Lane
Date:
"Brad Nicholson" <bradn@ca.ibm.com> writes:
> First, as a long time user of the pgextwlist extension, I'm happy to see
> this functionality appearing in core.  However, as a long term user of that
> extension, I can say that ability to create an extension as a non-super
> user is pretty limited in itself in a lot of cases.  Many extensions both
> in contrib and external ones (like PostGIS for example) don't give
> appropriate permissions to actually use the extension.

> Taking postgresql_fdw as an example.

I'm confused about your point here.  postgresql_fdw has intentionally
*not* been marked trusted.  That's partly because it doesn't seem like
outside-the-database access is something we want to allow by default,
but it's also the case that there are inside-the-database permissions
issues.  So no, we have not solved those, but that is not a shortcoming
of the trusted-extensions feature AFAICS.  It is not the intent of
that feature that you can randomly mark unsafe extensions as trusted
and have every one of their permissions safety-checks vanish.

            regards, tom lane



RE: PG13 Trusted Extension usability issue

From
"Brad Nicholson"
Date:

Tom Lane <tgl@sss.pgh.pa.us> wrote on 2020/06/26 02:47:25 PM:

> From: Tom Lane <tgl@sss.pgh.pa.us>

> To: "Brad Nicholson" <bradn@ca.ibm.com>
> Cc: pgsql-general@lists.postgresql.org
> Date: 2020/06/26 02:51 PM
> Subject: [EXTERNAL] Re: PG13 Trusted Extension usability issue
>
> "Brad Nicholson" <bradn@ca.ibm.com> writes:
> > First, as a long time user of the pgextwlist extension, I'm happy to see
> > this functionality appearing in core.  However, as a long term user of that
> > extension, I can say that ability to create an extension as a non-super
> > user is pretty limited in itself in a lot of cases.  Many extensions both
> > in contrib and external ones (like PostGIS for example) don't give
> > appropriate permissions to actually use the extension.
>
> > Taking postgresql_fdw as an example.
>
> I'm confused about your point here.  postgresql_fdw has intentionally
> *not* been marked trusted.  That's partly because it doesn't seem like
> outside-the-database access is something we want to allow by default,
> but it's also the case that there are inside-the-database permissions
> issues.


Ah - I misread the docs.  Specifically I read this:

"For many extensions this means superuser privileges are needed. However, if the extension is marked trusted in its control file, then it can be installed by any user who has CREATE privilege on the current database"

To mean that you could mark any extension as trusted in the control file to allow non-superuser installation.

Thanks,
Brad

Re: PG13 Trusted Extension usability issue

From
Adrian Klaver
Date:
On 6/26/20 12:03 PM, Brad Nicholson wrote:
> Tom Lane <tgl@sss.pgh.pa.us> wrote on 2020/06/26 02:47:25 PM:
> 
>  > From: Tom Lane <tgl@sss.pgh.pa.us>
>  > To: "Brad Nicholson" <bradn@ca.ibm.com>
>  > Cc: pgsql-general@lists.postgresql.org
>  > Date: 2020/06/26 02:51 PM
>  > Subject: [EXTERNAL] Re: PG13 Trusted Extension usability issue
>  >
>  > "Brad Nicholson" <bradn@ca.ibm.com> writes:
>  > > First, as a long time user of the pgextwlist extension, I'm happy 
> to see
>  > > this functionality appearing in core.  However, as a long term user 
> of that
>  > > extension, I can say that ability to create an extension as a non-super
>  > > user is pretty limited in itself in a lot of cases.  Many 
> extensions both
>  > > in contrib and external ones (like PostGIS for example) don't give
>  > > appropriate permissions to actually use the extension.
>  >
>  > > Taking postgresql_fdw as an example.
>  >
>  > I'm confused about your point here.  postgresql_fdw has intentionally
>  > *not* been marked trusted.  That's partly because it doesn't seem like
>  > outside-the-database access is something we want to allow by default,
>  > but it's also the case that there are inside-the-database permissions
>  > issues.
> 
> Ah - I misread the docs.  Specifically I read this:
> 
> "For many extensions this means superuser privileges are needed. 
> However, if the extension is marked trusted in its control file, then it 
> can be installed by any user who has CREATE privilege on the current 
> database"

The rest of that paragraph:

"In this case the extension object itself will be owned by the calling 
user, but the contained objects will be owned by the bootstrap superuser 
(unless the extension's script explicitly assigns them to the calling 
user). This configuration gives the calling user the right to drop the 
extension, but not to modify individual objects within it."

> 
> To mean that you could mark any extension as trusted in the control file 
> to allow non-superuser installation.
> 
> Thanks,
> Brad
> 


-- 
Adrian Klaver
adrian.klaver@aklaver.com



Re: PG13 Trusted Extension usability issue

From
Tom Lane
Date:
"Brad Nicholson" <bradn@ca.ibm.com> writes:
> Tom Lane <tgl@sss.pgh.pa.us> wrote on 2020/06/26 02:47:25 PM:
>> I'm confused about your point here.  postgresql_fdw has intentionally
>> *not* been marked trusted.  That's partly because it doesn't seem like
>> outside-the-database access is something we want to allow by default,
>> but it's also the case that there are inside-the-database permissions
>> issues.

> Ah - I misread the docs.  Specifically I read this:
> "For many extensions this means superuser privileges are needed. However,
> if the extension is marked trusted in its control file, then it can be
> installed by any user who has CREATE privilege on the current database"
> To mean that you could mark any extension as trusted in the control file to
> allow non-superuser installation.

Well, it's just like anything else in an open-source database: you can
change the code however you want, but the fallout from that is on you.

In the case at hand, you might be able to do what you want by adding
something along the line of

GRANT USAGE ON FOREIGN DATA WRAPPER postgres_fdw
  TO @extowner@ WITH GRANT OPTION;

to the extension install script.  But nobody's researched whether that's
reasonable from a security standpoint, or whether it will play nicely
with dump/reload, etc etc.

            regards, tom lane



Re: PG13 Trusted Extension usability issue

From
Stephen Frost
Date:
Greetings,

* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> "Brad Nicholson" <bradn@ca.ibm.com> writes:
> > Tom Lane <tgl@sss.pgh.pa.us> wrote on 2020/06/26 02:47:25 PM:
> >> I'm confused about your point here.  postgresql_fdw has intentionally
> >> *not* been marked trusted.  That's partly because it doesn't seem like
> >> outside-the-database access is something we want to allow by default,
> >> but it's also the case that there are inside-the-database permissions
> >> issues.
>
> > Ah - I misread the docs.  Specifically I read this:
> > "For many extensions this means superuser privileges are needed. However,
> > if the extension is marked trusted in its control file, then it can be
> > installed by any user who has CREATE privilege on the current database"
> > To mean that you could mark any extension as trusted in the control file to
> > allow non-superuser installation.
>
> Well, it's just like anything else in an open-source database: you can
> change the code however you want, but the fallout from that is on you.
>
> In the case at hand, you might be able to do what you want by adding
> something along the line of
>
> GRANT USAGE ON FOREIGN DATA WRAPPER postgres_fdw
>   TO @extowner@ WITH GRANT OPTION;
>
> to the extension install script.  But nobody's researched whether that's
> reasonable from a security standpoint, or whether it will play nicely
> with dump/reload, etc etc.

Indeed that could be done, and almost certainly will be by cloud
vendors, resulting in more forks of PG done in different ways.

I do agree that, in general, we need a way to allow a superuser to GRANT
the right to connect to other systems (so that it could be done
initially when creating the not-really-superuser-privileged-user, before
the extension is created), since we don't want that to be allowed from
the start, then have that checked by extensions, but once that's done it
seems like it'd be alright to include the above GRANT USAGE in upstream
(regarding this specific concern, at least).

Seems like a default role would probably be the way to add that.

Thanks,

Stephen

Attachment