Re: [HACKERS] allowing privileges on untrusted languages

On 1/19/13 8:45 AM, Kohei KaiGai wrote: > I think, it is a time to investigate separation of database superuser > privileges > into several fine-grained capabilities, like as operating system doing. > https://github.com/torvalds/linux/blob/master/include/uapi/linux/capability.h The Linux capabili

Re: [HACKERS] allowing privileges on untrusted languages

On 1/11/13 10:25 AM, Tom Lane wrote: > Peter Eisentraut writes: >> It turned out that actually getting rid of lanpltrusted would be too >> invasive, especially because some language handlers use it to determine >> their own behavior. > >> So instead the lanpltrusted attribute now just determined

Re: [HACKERS] allowing privileges on untrusted languages

On Sun, Jan 27, 2013 at 11:15 PM, Craig Ringer wrote: > On 01/28/2013 02:15 AM, Robert Haas wrote: > > I am not sure whether it's really true that a capability mechanism > could "never really satisfy" anyone. It worked for Linux. > > I have no concern about using a capabilities approach for this,

Re: [HACKERS] allowing privileges on untrusted languages

On 01/28/2013 02:15 AM, Robert Haas wrote: > > I am not sure whether it's really true that a capability mechanism > could "never really satisfy" anyone. It worked for Linux. I have no concern about using a capabilities approach for this, but I don't think Linux is a great example here. Linux's cap

Re: [HACKERS] allowing privileges on untrusted languages

On Sun, Jan 27, 2013 at 1:09 PM, Tom Lane wrote: > Robert Haas writes: >> On Fri, Jan 25, 2013 at 2:59 PM, Kohei KaiGai wrote: >>> 2013/1/20 Tom Lane : The traditional answer to that, which not only can be done already in all existing releases but is infinitely more flexible than any >

Re: [HACKERS] allowing privileges on untrusted languages

Robert Haas writes: > On Fri, Jan 25, 2013 at 2:59 PM, Kohei KaiGai wrote: >> 2013/1/20 Tom Lane : >>> The traditional answer to that, which not only can be done already in >>> all existing releases but is infinitely more flexible than any >>> hard-wired scheme we could implement, is that you cre

Re: [HACKERS] allowing privileges on untrusted languages

On Fri, Jan 25, 2013 at 2:59 PM, Kohei KaiGai wrote: > 2013/1/20 Tom Lane : >> Robert Haas writes: >>> Yeah. We'd need to think a little bit about how to make this work, >>> since I think that adding a gajillion booleans to pg_authid will not >>> make anyone very happy. But I like the idea. GR

Re: [HACKERS] allowing privileges on untrusted languages

2013/1/20 Tom Lane : > Robert Haas writes: >> Yeah. We'd need to think a little bit about how to make this work, >> since I think that adding a gajillion booleans to pg_authid will not >> make anyone very happy. But I like the idea. GRANT >> kill_sessions_of_other_users TO bob? GRANT install_u

Re: [HACKERS] allowing privileges on untrusted languages

Tom Lane writes: > The traditional answer to that, which not only can be done already in > all existing releases but is infinitely more flexible than any > hard-wired scheme we could implement, is that you create superuser-owned > security-definer functions that can execute any specific operation

Re: [HACKERS] allowing privileges on untrusted languages

On Sun, Jan 20, 2013 at 10:53 AM, Tom Lane wrote: > Robert Haas writes: >> Yeah. We'd need to think a little bit about how to make this work, >> since I think that adding a gajillion booleans to pg_authid will not >> make anyone very happy. But I like the idea. GRANT >> kill_sessions_of_other_

Re: [HACKERS] allowing privileges on untrusted languages

Robert Haas writes: > Yeah. We'd need to think a little bit about how to make this work, > since I think that adding a gajillion booleans to pg_authid will not > make anyone very happy. But I like the idea. GRANT > kill_sessions_of_other_users TO bob? GRANT install_untrusted_pls TO > any_datab

Re: [HACKERS] allowing privileges on untrusted languages

On Sat, Jan 19, 2013 at 8:54 AM, Simon Riggs wrote: > On 19 January 2013 13:45, Kohei KaiGai wrote: >> I think, it is a time to investigate separation of database superuser >> privileges >> into several fine-grained capabilities, like as operating system doing. >> https://github.com/torvalds/lin

Re: [HACKERS] allowing privileges on untrusted languages

On 19 January 2013 13:45, Kohei KaiGai wrote: > I think, it is a time to investigate separation of database superuser > privileges > into several fine-grained capabilities, like as operating system doing. > https://github.com/torvalds/linux/blob/master/include/uapi/linux/capability.h > > In case

Re: [HACKERS] allowing privileges on untrusted languages

2013/1/11 Peter Eisentraut : > Here is a proposed patch for the issue discussed in > : > > I'd propose getting rid of lanplistrusted, at least for access > checking. Instead, just don't install USAGE privileges by >

Re: [HACKERS] allowing privileges on untrusted languages

Peter Eisentraut writes: > It turned out that actually getting rid of lanpltrusted would be too > invasive, especially because some language handlers use it to determine > their own behavior. > So instead the lanpltrusted attribute now just determined what the > default privileges of the language

[HACKERS] allowing privileges on untrusted languages

Here is a proposed patch for the issue discussed in : I'd propose getting rid of lanplistrusted, at least for access checking. Instead, just don't install USAGE privileges by default for those languages.