Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nH6de-0001ZT-1q for pgsql-hackers@arkaria.postgresql.org; Mon, 07 Feb 2022 16:13:14 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1nH6dc-0006PO-US for pgsql-hackers@arkaria.postgresql.org; Mon, 07 Feb 2022 16:13:12 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nH6dc-0006P0-9V for pgsql-hackers@lists.postgresql.org; Mon, 07 Feb 2022 16:13:12 +0000 Received: from mail-vs1-xe34.google.com ([2607:f8b0:4864:20::e34]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1nH6dY-0006tl-Qs for pgsql-hackers@postgresql.org; Mon, 07 Feb 2022 16:13:11 +0000 Received: by mail-vs1-xe34.google.com with SMTP id v62so158505vsv.4 for ; Mon, 07 Feb 2022 08:13:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joeconway.com; s=google; h=message-id:date:mime-version:user-agent:content-language:to:cc :references:from:subject:in-reply-to:content-transfer-encoding; bh=sJLk80OEfNPux5PwOFnkaubjSm/coV4JdsiRHqp8bz4=; b=lD+XQzyHxC1BSLwssk/qo4N9jVjE7GwCarjj5RrpIuCPumiRiAxwlf/bi7W3feQQgX srZrw0Whl2rjvaP1e3flYUGdMB9VgqQQrZ69hSFAFE75Z1szkQ8wnDOHhm9ccjyQkOki +hlOmUCGehydYvnaGF2hl+6sOCEoyl6hElyr0fNdD8/ivR7zU+QJpIPoJ9D15hSQ3+Xk CmV8EJ+IGb1ewLZqBaKclvfrKDIBwtvQ7CKnUMMWuOPGMghJ0Q82wYZdyTwDja5VWaSW NPrR93czV4+dHA5wQs91pP9+v/aTNEfWWuONoxM2QLnfrJ9aUUWsomLaQGhUXYYuWoB2 v8WA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent :content-language:to:cc:references:from:subject:in-reply-to :content-transfer-encoding; bh=sJLk80OEfNPux5PwOFnkaubjSm/coV4JdsiRHqp8bz4=; b=y20n0K1DQGOZmnZc6q1A2k6X22dkMUmlUpGE+P1vwPEogg9DaWs4avKS7lEWWx58gp PAlZF06sjXaXpA+8d1VyZ9TOsa56lUdU+7yt+x34xhf9cc2cilblvltPbxxpfQuElHg/ RJ0PZvFMDet2YHzChWZCYbzE0xSNdyZoID0P5nHnM2+U+dOwp8laTpIMtt6YC2Ckd6Ws eBZDCnJM6oZTCV3xuvXPmui7pYsMK4iwvKN5E28MVLek9UdeQkfY6nassSTFVQOaC1qX lk7ZVLH0YxOcgcBjs8/pio4FS7EpVHQBxIclQqvpKG7xocbs3YaxpucV3uwNFYXHNAfY P81w== X-Gm-Message-State: AOAM531wkyknh2ZkS/7jePHnipZSnBMd3uxlJ1dXzSe9hH+4Wo1v8vkH 4xLQPT3mDT+SUsvJPyeIPyEoQg== X-Google-Smtp-Source: ABdhPJwPvC3moUPqFWY0BweaqhXBjlpVZggRmrbXAGK9U+F+vy+eKUJjW+YUaNLCpfmTHUgU9xNxUg== X-Received: by 2002:a67:fd55:: with SMTP id g21mr4685031vsr.53.1644250386733; Mon, 07 Feb 2022 08:13:06 -0800 (PST) Received: from [192.168.4.41] (072-017-018-098.res.spectrum.com. [72.17.18.98]) by smtp.gmail.com with ESMTPSA id l18sm840585uan.7.2022.02.07.08.13.05 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 07 Feb 2022 08:13:06 -0800 (PST) Message-ID: <80af9ba7-ec24-9134-8fd9-00bf13f5c494@joeconway.com> Date: Mon, 7 Feb 2022 11:13:04 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0 Content-Language: en-US To: Robert Haas , Tom Lane Cc: Joshua Brindle , "Bossart, Nathan" , Stephen Frost , PostgreSQL-development References: <20211108204449.GO20998@tamriel.snowman.net> <5F9388A2-35EA-4DAA-BE05-68D55EEA6DC3@amazon.com> <0ED10807-9E7F-4BB5-9473-4668EE68AE2D@amazon.com> <4117557.1641329799@sss.pgh.pa.us> <730520.1644168290@sss.pgh.pa.us> From: Joe Conway Subject: Re: [PATCH v2] use has_privs_for_role for predefined roles In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 2/7/22 10:35, Robert Haas wrote: > On Sun, Feb 6, 2022 at 12:24 PM Tom Lane wrote: >> Joe Conway writes: >> > I'd like to pick this patch up and see it through to commit/push. >> > Presumably that will include back-patching to all supported pg versions. >> > Before I go through the effort to back-patch, does anyone want to argue >> > that this should *not* be back-patched? >> >> Hm, I'm -0.5 or so. I think changing security-related behaviors >> in a stable branch is a hard sell unless you are closing a security >> hole. This is a fine improvement for HEAD but I'm inclined to >> leave the back branches alone. > > I think the threshold to back-patch a clear behavior change is pretty > high, so I do not think it should be back-patched. ok > I am also not convinced that a sufficient argument has been made for > changing this in master. This isn't the only thread where NOINHERIT > has come up lately, and I have to admit that I'm not a fan. Let's > suppose that I have two users, let's say sunita and sri. In the real > world, Sunita is Sri's manager and needs to be able to perform actions > as Sri when Sri is out of the office, but it isn't desirable for > Sunita to have Sri's privileges in all situations all the time. So we > mark role sunita as NOINHERIT and grant sri to sunita. Then it turns > out that Sunita also needs to be COPY TO/FROM PROGRAM, so we give her > pg_execute_server_program. Now, if she can't exercise this privilege > without setting role to the prefined role, that's bad, isn't it? I > mean, we want her to be able to copy between *her* tables and various > shell commands, not the tables owned by pg_execute_server_program, of > which there are presumably none. Easily worked around with one additional level of role: 8<--------------------------------------- nmx=# create user sunita; CREATE ROLE nmx=# create user sri superuser; CREATE ROLE nmx=# create user sri_alt noinherit; CREATE ROLE nmx=# grant sri to sri_alt; GRANT ROLE nmx=# grant sri_alt to sunita; GRANT ROLE nmx=# grant pg_execute_server_program to sunita; GRANT ROLE nmx=# set session authorization sri; SET nmx=# create table foo(id int); CREATE TABLE nmx=# insert into foo values(42); INSERT 0 1 nmx=# set session authorization sunita; SET nmx=> select * from foo; ERROR: permission denied for table foo nmx=> set role sri; SET nmx=# select * from foo; id ---- 42 (1 row) nmx=# reset role; RESET nmx=> select current_user; current_user -------------- sunita (1 row) nmx=> create temp table sfoo(f1 text); CREATE TABLE nmx=> copy sfoo(f1) from program 'id'; COPY 1 nmx=> select f1 from sfoo; f1 ---------------------------------------------------------------------------------------- uid=1001(postgres) gid=1001(postgres) groups=1001(postgres),108(ssl-cert),1002(pgconf) (1 row) 8<--------------------------------------- > It seems to me that the INHERIT role flag isn't very well-considered. > Inheritance, or the lack of it, ought to be decided separately for > each inherited role. However, that would be a major architectural > change. Agreed -- that would be useful. > But in the absence of that, it seems clearly better for predefined > roles to disregard INHERIT and just always grant the rights they are > intended to give. Because if we don't do that, then we end up with > people having to SET ROLE to the predefined role and perform actions > directly as that role, which seems like it can't be what we want. I > almost feel like we ought to be looking for ways of preventing people > from doing SET ROLE to a predefined role altogether, not encouraging > them to do it. I disagree with this though. It is confusing and IMHO dangerous that the predefined roles currently work differently than regular roles eith respect to privilege inheritance. In fact, I would extend that argument to the pseudo-role PUBLIC. Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development