Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tSaEL-00010m-0F for pgsql-hackers@arkaria.postgresql.org; Tue, 31 Dec 2024 11:16:09 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tSaEI-00227a-Nd for pgsql-hackers@arkaria.postgresql.org; Tue, 31 Dec 2024 11:16:06 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tSaEI-00227R-9o for pgsql-hackers@lists.postgresql.org; Tue, 31 Dec 2024 11:16:06 +0000 Received: from mail-wr1-x430.google.com ([2a00:1450:4864:20::430]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1tSaE8-002UqH-RQ for pgsql-hackers@lists.postgresql.org; Tue, 31 Dec 2024 11:16:03 +0000 Received: by mail-wr1-x430.google.com with SMTP id ffacd0b85a97d-385f06d0c8eso5173447f8f.0 for ; Tue, 31 Dec 2024 03:15:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1735643755; x=1736248555; darn=lists.postgresql.org; h=user-agent:in-reply-to:content-disposition:mime-version:references :subject:cc:to:from:date:sender:message-id:from:to:cc:subject:date :message-id:reply-to; bh=QjKnrmvmnon5yCoeq78DJlMTUwHkc1mOObXaN9ECNPU=; b=GxlC2zrIujHuJ+isPUiM9e3BfehHn9Il+VmbwgLfE0Ce0z/AH7m46VqeOY8EyOinzg XxRVazFBCg3sfhaWQpdVAl7SB3Q2928JS+mfmoz0A5xeKUKu4hkUmXg6C62b4FKspCQW wSw48CkkCj8ygxIlxuFBW/nMwkyRbdKZjr6CjISfRvtAwtALyzNfa08sVQx+iy/dAfJg ULl47V/MC/Dxik0AnrEJ4dnfeFlJaojzWUMsEVlHgSmLM0djlSE7Ni/g4PE9A4elb4Pf Zf9gsCgN4FpWgZHI4uAsJnCjc75whV71U3fHFB8roCCSnKncGotEVN3r0Hme30OnGWSX QDmQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1735643755; x=1736248555; h=user-agent:in-reply-to:content-disposition:mime-version:references :subject:cc:to:from:date:sender:message-id:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=QjKnrmvmnon5yCoeq78DJlMTUwHkc1mOObXaN9ECNPU=; b=ic/YvYSJjAi/RlG2ai4VjYQxd+yX3ao/R5IogRQCcMf21Sr8OTeZAe4lm+qB9T0kYu b4kWfc9+5ODOZGPEIljeY9lCPjwY8NHjq9vAKHzkFpohuy0k8XCKuzERr+LjtuO7EpT8 4Vlqz1od8JPftdVShMEPnxJ6uzc7SC03kimyRRIAzzB3bUTBZtvgo8WXgIAzdpiO8ab+ NEKXghqta+GJCqrwq7KVNA2o8ZtQF82Cel6D2pVRrkl4tk5/mmbb5Gkp9fsZwBJyKPwv 06xLklMBToXKrVHrhCLqg8RGhr59dtBNegVxCHNHyz30uv2/S2QXonSnk2Hq9aBNTsVd BBLA== X-Forwarded-Encrypted: i=1; AJvYcCWC9A7KmAfiFvJvQFUix7BkAd65Bv774U6/kPFRa8NLaKVV0MTr+GCZVUwULi/2UcF2Hn4IkFVtyGNbHhV9@lists.postgresql.org X-Gm-Message-State: AOJu0YzUvO/yIiiVjxVshfvIm4rzVAzrX73eSkK7eqq0AE3q2PCcJ/nN yiWT1+v88HLSvFG/YoFkMBpxXP6Qyo37QFMWO2V5BAAGL/ikw9qd X-Gm-Gg: ASbGncsz72pxxhc7PGFHdspD1kFintdGKbqg3G2wRroIXcXvuePvuN3ga0DD7VyRffZ tpqxYlRJJqL9BmRoZbH1mYMhMk8RM278BMJ/QTArJ8j780auU/J2qnn0Zy7z3g3m+RanPKyxOcu ljKexwRPVCORr43niRwKTvYFDvQXlYQ7H8GwnmvQjC+4p9pvN5OZaJcRFhlyYry1aO+y47zAGl5 YR7pPzHHBpGdEhbigCA+1Mdb7FFDoPxGbYwKjfltsuMlyT3D+qZg5MDjyOVYpGuvrDWtaMfJrV5 XqNMHbHqKsRfGJa7 X-Google-Smtp-Source: AGHT+IFiD4kx/+oprXUubJPudwgJZs6Jbmij/PtCbqWqyV9HqOCeDPzH3I3GA8IRddJdmjpXgjUxQw== X-Received: by 2002:a05:6000:71b:b0:385:fab3:c56d with SMTP id ffacd0b85a97d-38a221685c4mr31433380f8f.0.1735643754797; Tue, 31 Dec 2024 03:15:54 -0800 (PST) Received: from lightning.caipicrew.dd-dns.de ([2001:a61:10dc:9701:1f93:5b09:ad65:dcaa]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4366127c493sm381835775e9.28.2024.12.31.03.15.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 31 Dec 2024 03:15:54 -0800 (PST) Message-ID: <6773d26a.050a0220.326c12.b02a@mx.google.com> X-Google-Original-Message-ID: <20241231111553.GB5393@caipicrew.dd-dns.de;lightning.caipicrew.dd-dns.de> Sender: Michael Banck Received: from mbanck by lightning.caipicrew.dd-dns.de with local (Exim 4.92) (envelope-from ) id 1tSaE5-0001bv-T7; Tue, 31 Dec 2024 12:15:53 +0100 Date: Tue, 31 Dec 2024 12:15:53 +0100 From: Michael Banck To: Kirill Reshke Cc: Jelte Fennema-Nio , PostgreSQL Hackers Subject: Re: [PATCH] New predefined role pg_manage_extensions References: <65a1524e.050a0220.49266.7670@mx.google.com> <65a247d9.050a0220.ecb2e.1177@mx.google.com> <6723fae4.a70a0220.28a8f2.27e4@mx.google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Hi, first, sorry for the late reply :-/ On Mon, Nov 18, 2024 at 11:26:40AM +0500, Kirill Reshke wrote: > On Fri, 1 Nov 2024 at 02:47, Michael Banck wrote: > > Even though there has not been a lot of discussion on this, here is a > > rebased patch. I have also added it to the upcoming commitfest. > > > > + pg_manage_extensions allows creating, removing or > > + updating extensions, even if the extensions are untrusted or the user is > > + not the database owner. > > Users are not required to be a database owner to create extensions. > They are required to have CREATE priv on database. Ah right, thanks, I have changed that. > > On Sat, Jan 13, 2024 at 09:20:40AM +0100, Michael Banck wrote: > > > On Fri, Jan 12, 2024 at 04:13:27PM +0100, Jelte Fennema-Nio wrote: > > > > But I'm not sure that such a pg_manage_extensions role would have any > > > > fewer permissions than superuser in practice. > > > > > > Note that just being able to create an extension does not give blanket > > > permission to use it. I did a few checks with things I thought might be > > > problematic like adminpack or plpython3u, and a pg_manage_extensions > > > user is not allowed to call those functions or use the untrusted > > > language. > > > > > > > Afaik many extensions that are not marked as trusted, are not trusted > > > > because they would allow fairly trivial privilege escalation to > > > > superuser if they were. > > > > > > While that might be true (or we err on the side of caution), I thought > > > the rationale was more that they either disclose more information about > > > the database server than we want to disclose to ordinary users, or that > > > they allow access to the file system etc. > > Extension installation script can execute arbitrary code with > superuser privilege if markled trusted. > > Take this example [...] Right, but this implies that a superuser installed that rogue/sketchy/unsafe-but-declared-safe extension in the first place. I would assume that the person having pg_manage_extensions privs not have the ability to install extensions at the system level. Maybe this should be cautioned some more in the documentation part of this patch, though. Unless one of the current untrusted contrib extensions allows to attain superuser rights by being created? My opinion was that superusers (or system administrators) would need to explicitly install this (presumably external) extension somehow, either via package management or by compile-installing it. So, what is the threat vector here? I think the system administrator has (in most/all(?) cases) superuser access to Postgres in practise anyway, via sudo/root access to the postgres user. Maybe this should be revisited in light of the extension_destdir GUC patch, but I think in that case the system admins/postgres superuser should make sure that this auxiliary directory is not writable to others. > In general, this concept is rather dubious. Why should we have such a > dangerous pre-defined role? Well, I would say pg_execute_server_program could be regarded as a precedent. > I would prefer to have complete control over what gets installed in > the database if I were a superuser. A superuser will have to grant this attribute to somebody, so there is certainly some gate-keeping here. As a side note, maybe what we are missing is a way for site admins to disable some of the predefined roles (i.e. something better than just DELETE FROM pg_authid). > Additionally, if a dangerous extension is inadvertently or otherwise > loaded on the host, I never want a normal user to run code with > superuser privileges. Well again, normal users with pg_execute_server_program rights can basically already do this. I would consider a user with a pg_manage_extensions right not a normal user, but an application DBA or a pseudo-superuser in the managed Postgres cloud parlance. > For a thorough understanding of the current situation and the > rationale behind the design, you can read this[1] discussion. I have re-read this since, thanks. I do think having a whitelist of allowed-to-be-installed extensions (similar/like https://github.com/dimitri/pgextwlist) makes sense additionally in today's container/cloud word where the local Postgres admin might not have control over which packages get installed but wants to have control over which extension the application admins (or whoever) may create, but that is another topic I think. Michael