subject:"\[PATCHES\] Proposed patch to remove USERLIMIT"

Re: [PATCHES] Proposed patch to remove USERLIMIT

2004-11-11 Thread Bruce Momjian

Tom Lane wrote:
 Bruce Momjian [EMAIL PROTECTED] writes:
  I would be glad to see USERLIMIT gone, even though I wrote it.  However,
  I feel we are removing user's ability of non-super users to turn logging
  on and off easily without really having thought through a mechanism to
  give them that.
 
 I think that is a very weak argument.  Remember that the discussion

Well, I disagree or I wouldn't have made the argument, would I?

 started because setting these variables via ALTER USER fails to work.

It fails to work if logging was already on and someone wants to turn it
off via ALTER USER, and that matches the expected behavior.

 Why is that of less concern than the fact that unprivileged users won't
 be able to increase the log level by themselves?  I think it's pretty

Because it is working as planned, meaning normal users can't turn off
logging.

 debatable whether the current behavior is a feature at all, rather than
 a security hole.
 
  I just don't see people creating secuirty definer
  functions easily to do this
 
 create or replace function enable_logging(bool) returns void as $$
 begin
   if $1 then
 set log_statement = 'all';
   else
 set log_statement = 'ddl';
   end if;
   return;
 end$$ language plpgsql security definer;
 
 revoke execute on function enable_logging(bool) from public;
 grant execute on function enable_logging(bool) to joe_user;
 
 (My, that was hard ...)

Well, you have just made the system less secure by creating that
function.  Why didn't you create a function that has the existing
behavior of only allowing users to increase the log level?  Because it
is harder to do, and certainly not something trivial you would write
during a debugging session.

 You seem to be supposing that anyone who needs this will be needing a
 bug-for-bug equivalent to the existing USERLIMIT behavior.  I don't

What bug?

 think so.  I think that in the field, people are going to have at most
 a couple of logging configurations they want to allow users to select,
 and they will use code not significantly more complex than the above.

Can you show me the function?

 Arguably, this approach is better than directly calling the SET commands
 anyway, because it insulates the application code from the changing
 details of the specific GUC variables.  Need I remind you that any app
 that directly issues SET log_statement is going to be broken by 8.0?
 In 7.4 this variable took on and off, now it does not.  The argument
 of preserving backwards-compatible behavior looks a bit funny beside
 that reality.

I realize that but I think we need to give people the existing
functionality out of the box, or at least not make such a change so
close to final without time to discuss.  You should ask on general where
we usually do such polls of feature changes?  People are already
complaining we don't make logging easy enough (pg_stat_activity) and now
we are going to make it harder still?  Doesn't make sense to me, and I
don't see your change as a bug fix.

-- 
  Bruce Momjian|  http://candle.pha.pa.us
  [EMAIL PROTECTED]   |  (610) 359-1001
  +  If your life is a hard drive, |  13 Roberts Road
  +  Christ can be your backup.|  Newtown Square, Pennsylvania 19073

---(end of broadcast)---
TIP 4: Don't 'kill -9' the postmaster

Re: [PATCHES] Proposed patch to remove USERLIMIT

2004-11-11 Thread Bruce Momjian

Tom Lane wrote:
 Bruce Momjian [EMAIL PROTECTED] writes:
  Tom Lane wrote:
  started because setting these variables via ALTER USER fails to work.
 
  It fails to work if logging was already on and someone wants to turn it
  off via ALTER USER, and that matches the expected behavior.
 
 Not if a superuser does it; superusers should be allowed to set it
 however they want.  In current code a superuser can't even set it
 that way for himself, let alone for other nonprivileged users.
 You seem to define expected behavior as whatever the code does now,
 but in point of fact it's got lots of deficiencies.

I just turned logging on in my postgresql.conf file, did as super-user:

test= ALTER USER postgres SET log_statement = 'none';

and it seemed to work fine.  Are you saying the problem is that the
super-user can't set log_statement for non-super users via ALTER USER? 
Yes, that doesn't work, but I have seen only one user request to do
that, while I have seen a lot of requests of people wanting to turn
log_statement on and off as non-super users in their applications.

  Well, you have just made the system less secure by creating that
  function.  Why didn't you create a function that has the existing
  behavior of only allowing users to increase the log level?
 
 I repeat my point: I don't think DBAs actually need that.  In the
 function as illustrated, I gave joe_user (and nobody else) the choice
 between 'all' and 'ddl' (and nothing else), where I suppose 'ddl' is the
 global default.  This is in fact a whole lot *more* secure than the
 existing behavior, in the sense that I can constrain what's allowed a
 lot more.
 
 If I later decide I want 'mod' as the global default, I can alter the
 function to map it that way, and joe_user's application is entirely
 unaffected.  This is *not* true if I expect joe_user's app to set the
 variable directly.  He has to go change his app to conform to the new
 global default.

OK, so you are saying your function has to be aligned with the global
default.

  think so.  I think that in the field, people are going to have at most
  a couple of logging configurations they want to allow users to select,
  and they will use code not significantly more complex than the above.
 
  Can you show me the function?
 
 I did.

I want to see one that allows a non-super user to only to increase the
log level without predefining the lowest log level allowed.

  You should ask on general where
  we usually do such polls of feature changes?
 
 Where was the poll in which we decided that the logging variables needed
 to be secured at all?  In 7.3 these variables were all plain USERSET.

We didn't need a pool because we had repeated user complaints stating
our current setup was insecure, and we weren't in feature freeze or near
final release.

This whole discussion is taking time away from getting us to final.

-- 
  Bruce Momjian|  http://candle.pha.pa.us
  [EMAIL PROTECTED]   |  (610) 359-1001
  +  If your life is a hard drive, |  13 Roberts Road
  +  Christ can be your backup.|  Newtown Square, Pennsylvania 19073

---(end of broadcast)---
TIP 3: if posting/reading through Usenet, please send an appropriate
  subscribe-nomail command to [EMAIL PROTECTED] so that your
  message can get through to the mailing list cleanly

Re: [PATCHES] Proposed patch to remove USERLIMIT

2004-11-11 Thread Tom Lane

Bruce Momjian [EMAIL PROTECTED] writes:
 I would be glad to see USERLIMIT gone, even though I wrote it.  However,
 I feel we are removing user's ability of non-super users to turn logging
 on and off easily without really having thought through a mechanism to
 give them that.

I think that is a very weak argument.  Remember that the discussion
started because setting these variables via ALTER USER fails to work.
Why is that of less concern than the fact that unprivileged users won't
be able to increase the log level by themselves?  I think it's pretty
debatable whether the current behavior is a feature at all, rather than
a security hole.

 I just don't see people creating secuirty definer
 functions easily to do this

create or replace function enable_logging(bool) returns void as $$
begin
  if $1 then
set log_statement = 'all';
  else
set log_statement = 'ddl';
  end if;
  return;
end$$ language plpgsql security definer;

revoke execute on function enable_logging(bool) from public;
grant execute on function enable_logging(bool) to joe_user;

(My, that was hard ...)

You seem to be supposing that anyone who needs this will be needing a
bug-for-bug equivalent to the existing USERLIMIT behavior.  I don't
think so.  I think that in the field, people are going to have at most
a couple of logging configurations they want to allow users to select,
and they will use code not significantly more complex than the above.

Arguably, this approach is better than directly calling the SET commands
anyway, because it insulates the application code from the changing
details of the specific GUC variables.  Need I remind you that any app
that directly issues SET log_statement is going to be broken by 8.0?
In 7.4 this variable took on and off, now it does not.  The argument
of preserving backwards-compatible behavior looks a bit funny beside
that reality.

regards, tom lane

---(end of broadcast)---
TIP 6: Have you searched our list archives?

   http://archives.postgresql.org

[PATCHES] Proposed patch to remove USERLIMIT

2004-11-10 Thread Tom Lane

The attached patch removes GUC's USERLIMIT variable category, changing
all the affected variables to be plain SUSET, as per recent discussion.

I also modified postgres.c so that variable settings coming from the
client connection request packet (eg, from PGOPTIONS on the client side)
are processed only after we have determined whether the user is a
superuser.  This allows a superuser to set SUSET options from PGOPTIONS,
which has never worked before.

I consider this to be a lot cleaner and more flexible than what we have
now.  Comments?

regards, tom lane



bin8rEOQ7lV8m.bin
Description: no-userlimit.patch.gz

---(end of broadcast)---
TIP 9: the planner will ignore your desire to choose an index scan if your
  joining column's datatypes do not match

Re: [PATCHES] Proposed patch to remove USERLIMIT

2004-11-10 Thread Bruce Momjian

Tom Lane wrote:
 The attached patch removes GUC's USERLIMIT variable category, changing
 all the affected variables to be plain SUSET, as per recent discussion.
 
 I also modified postgres.c so that variable settings coming from the
 client connection request packet (eg, from PGOPTIONS on the client side)
 are processed only after we have determined whether the user is a
 superuser.  This allows a superuser to set SUSET options from PGOPTIONS,
 which has never worked before.
 
 I consider this to be a lot cleaner and more flexible than what we have
 now.  Comments?

I would be glad to see USERLIMIT gone, even though I wrote it.  However,
I feel we are removing user's ability of non-super users to turn logging
on and off easily without really having thought through a mechanism to
give them that.  I just don't see people creating secuirty definer
functions easily to do this and perhaps we should ship some capability
with our source.

I am thinking we should hold until 8.1.  I do like the idea of moving
things to ALTER USER but I think there is more work for us to do.

-- 
  Bruce Momjian|  http://candle.pha.pa.us
  [EMAIL PROTECTED]   |  (610) 359-1001
  +  If your life is a hard drive, |  13 Roberts Road
  +  Christ can be your backup.|  Newtown Square, Pennsylvania 19073

---(end of broadcast)---
TIP 9: the planner will ignore your desire to choose an index scan if your
  joining column's datatypes do not match

Re: [PATCHES] Proposed patch to remove USERLIMIT

Re: [PATCHES] Proposed patch to remove USERLIMIT

Re: [PATCHES] Proposed patch to remove USERLIMIT

[PATCHES] Proposed patch to remove USERLIMIT

Re: [PATCHES] Proposed patch to remove USERLIMIT

5 matches

Site Navigation

Mail list logo

Footer information