Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nCFkm-0005vL-OU for pgsql-hackers@arkaria.postgresql.org; Tue, 25 Jan 2022 06:56:32 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1nCFkG-0000Eu-0Q for pgsql-hackers@arkaria.postgresql.org; Tue, 25 Jan 2022 06:56:00 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nCFkF-0000El-Lg for pgsql-hackers@lists.postgresql.org; Tue, 25 Jan 2022 06:55:59 +0000 Received: from oss.nttdata.com ([49.212.34.109]) by makus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nCFkA-0006Gu-B0 for pgsql-hackers@postgresql.org; Tue, 25 Jan 2022 06:55:58 +0000 Received: from [192.168.11.9] (p2019072-ipbf2307funabasi.chiba.ocn.ne.jp [122.30.130.72]) by oss.nttdata.com (Postfix) with ESMTPSA id 10A156097B; Tue, 25 Jan 2022 15:55:50 +0900 (JST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.5 at oss.nttdata.com Message-ID: <8964dda4-3f25-0876-c098-77cede904413@oss.nttdata.com> Date: Tue, 25 Jan 2022 15:55:49 +0900 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.5.0 Subject: Re: CREATEROLE and role ownership hierarchies Content-Language: en-US To: Mark Dilger , Stephen Frost Cc: Robert Haas , Andrew Dunstan , "Bossart, Nathan" , Jeff Davis , Joshua Brindle , PostgreSQL-development , Shinya Kato References: <301022EA-01F9-424A-B788-44B6FCF6AB34@enterprisedb.com> <20220122212033.GO10577@tamriel.snowman.net> <8043E300-4968-4284-9A3C-84532C8F47BE@enterprisedb.com> From: Fujii Masao In-Reply-To: <8043E300-4968-4284-9A3C-84532C8F47BE@enterprisedb.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 2022/01/25 8:18, Mark Dilger wrote: > > >> On Jan 24, 2022, at 2:21 PM, Stephen Frost wrote: >> >> Superuser is a problem specifically because it gives people access to do absolutely anything, both for security and safety concerns. Disallowing a way to curtail that same risk when it comes to role ownership invites exactly those same problems. > > Before the patch, users with CREATEROLE can do mischief. After the patch, users with CREATEROLE can do mischief. The difference is that the mischief that can be done after the patch is a proper subset of the mischief that can be done before the patch. (Counter-examples highly welcome.) > > Specifically, I claim that before the patch, non-superuser "bob" with CREATEROLE can interfere with *any* non-superuser. After the patch, non-superuser "bob" with CREATEROLE can interfere with *some* non-superusers; specifically, with non-superusers he created himself, or which have had ownership transferred to him. > > Restricting the scope of bob's mischief is a huge win, in my view. +1 One of "mischiefs" I'm thinking problematic is that users with CREATEROLE can give any predefined role that they don't have, to other users including themselves. For example, users with CREATEROLE can give pg_execute_server_program to themselves and run any OS commands by COPY PROGRAM. This would be an issue when providing something like PostgreSQL cloud service that wants to prevent end users from running OS commands but allow them to create/drop roles. Does the proposed patch fix also this issue? Regards, -- Fujii Masao Advanced Computing Technology Center Research and Development Headquarters NTT DATA CORPORATION