Robert, * Robert Haas (robertmh...@gmail.com) wrote: > On Thu, Nov 9, 2017 at 2:56 PM, Stephen Frost <sfr...@snowman.net> wrote: > > Further, I agree entirely that we > > shouldn't be deciding that certain capabilities are never allowed to be > > given to a user- but that's why superuser *exists* and why it's possible > > to give superuser access to multiple users. The question here is if > > it's actually sensible for us to make certain actions be grantable to > > non-superusers which allow that role to become, or to essentially be, a > > superuser. What that does, just as it does in the table case, from my > > viewpoint at least, is make it *look* to admins like they're grant'ing > > something less than superuser when, really, they're actually giving the > > user superuser-level access. That violates the POLA because the admin > > didn't write 'ALTER USER joe WITH SUPERUSER', they just wrote 'GRANT > > EXECUTE ON lo_import() TO joe;'. > > This is exactly the kind of thing that I'm talking about. Forcing an > administrator to hand out full superuser access instead of being able > to give just lo_import() makes life difficult for users for no good > reason. The existence of a theoretically-exploitable security > vulnerability is not tantamount to really having access, especially on > a system with a secured logging facility.
This is where I disagree. The administrator *is* giving the user superuser-level access, they're just doing it in a different way from explicitly saying 'ALTER USER .. WITH SUPERUSER' and that's exactly the issue that I have. This isn't a theoretical exploit- the user with lo_import/lo_export access is able to read and write any file on the filesystem which the PG OS has access to, including things like pg_hba.conf in most configurations, the file backing pg_authid, the OS user's .bashrc, the Kerberos principal, the CA public key, the SSL keys, tables owned by other users that the in-database role doesn't have access to, et al. Further, will we consider these *actual*, non-theoretical, methods to gain superuser access, or to bypass the database authorization system, to be security issues or holes to plug? I'm guessing no, which essentially means that *we* consider access to lo_import/lo_export to be equivilant to superuser and therefore we're not going to implement anything to try and prevent the user who has access to those functions from becoming superuser. If we aren't willing to do that, then how can we really say that there's some difference between access to these functions and being a superuser? Thanks! Stephen
Description: Digital signature