Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tCvHI-00EZcx-8c for pgsql-hackers@arkaria.postgresql.org; Mon, 18 Nov 2024 06:30:27 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tCvHF-003EJc-Ib for pgsql-hackers@arkaria.postgresql.org; Mon, 18 Nov 2024 06:30:26 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tCvHF-003EJT-4N for pgsql-hackers@lists.postgresql.org; Mon, 18 Nov 2024 06:30:25 +0000 Received: from mail-lj1-x229.google.com ([2a00:1450:4864:20::229]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1tCvHC-002TGM-Pl for pgsql-hackers@lists.postgresql.org; Mon, 18 Nov 2024 06:30:24 +0000 Received: by mail-lj1-x229.google.com with SMTP id 38308e7fff4ca-2fb5740a03bso37162931fa.1 for ; Sun, 17 Nov 2024 22:30:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1731911421; x=1732516221; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=xg1mbuEAWzBakTMeR4bnW69Xg4wcFiud6h5RO4UwNGQ=; b=Fh5Khwo5R3GqfmdBgV1V42GxR4vA9vLbCx8YUXmIuX31nMvDy7VwczI8zwlX9vlnX0 sxiK9rFWCr9D0DRI2aiDx3uF9ZtT2wFysWB99Cj3Ko2RYnwDtu6aF1Jb8ujuH95eB3gI piCBNBI+gLfZKlCyfLkV3adcS7vGn38tEZLccYGtc03F1sFtHxdLyAQcrIvuy5MrbRGw RNcjTY1CqXQJGjPbvYaKuWVZfkJoEEgVZHYCBzl4qaZXWirIttfB1Yuf1Odaw1sqgecv nvXXurWeenap+DljLh9e7HEM4viW5cLazU1nN7baBt8HE3o+efhT4/djSwo6GK1oyTri Bz/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731911421; x=1732516221; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=xg1mbuEAWzBakTMeR4bnW69Xg4wcFiud6h5RO4UwNGQ=; b=ktbqx8TZKVCmfd3yvSzRfS/TPsziSgWm08LurZZpw+9JKujWNmOBFyeFgGg78shr2e x6Ate2186SIqqM77olf7ojJKju5K2oaGnSksdS3Ar8VX0USohf74kwf67VMTuqG3rt9u CvAciOBsRW/pYn+O379jbmRJKKTec9oxtbSGFbw2Pz95oiDj5KoRtElO5Qmwd3BY6Fog +w6rTX92MLkWrwS2N91QsO419Hv+Qv+LbAIM5MDAkdifEFmGyZnVZ//Cb3UWek51Lt1I uQCdL5f6AJAWcnQLyrgKAc7IfUbPM5KM/KG0Tz2iAydbJdV9xkTz5VzZATSu0byRl9LU QRKQ== X-Forwarded-Encrypted: i=1; AJvYcCXa1etNDFg7EPSOyYBZt2ppBxwDppc5iob850Xfj2PvfWROZVEOC4wnPjfH4o9CuPnTgLb/0unkOPmHyJDS@lists.postgresql.org X-Gm-Message-State: AOJu0YwVtQ5vlpADYD57n5HaKjDS/1r1qCrYgpNnE0XnkEnoItsBZojd ROXt6zVK6pEdVHkJwDlwgQ/tesjfjhrgrgPSPSDYhkc4ITF5kNnjBg39JRt7g7jJfyquC0Ua+fz eaeLgBBSAzCGumid/Po/h7iaZ03nqeNn47y4= X-Google-Smtp-Source: AGHT+IGFe49bh40F07ZyrT/GrYmijPhFR3wskfhJpg19X2w73Hu0Op4u04H+ZAdfb2I14TGcIjCFi2wqQPyRdOGD6xc= X-Received: by 2002:a05:651c:b0f:b0:2ff:567f:9108 with SMTP id 38308e7fff4ca-2ff606fd180mr56370821fa.33.1731911420832; Sun, 17 Nov 2024 22:30:20 -0800 (PST) MIME-Version: 1.0 References: <65a1524e.050a0220.49266.7670@mx.google.com> <65a247d9.050a0220.ecb2e.1177@mx.google.com> <6723fae4.a70a0220.28a8f2.27e4@mx.google.com> In-Reply-To: From: Kirill Reshke Date: Mon, 18 Nov 2024 11:30:09 +0500 Message-ID: Subject: Re: [PATCH] New predefined role pg_manage_extensions To: Michael Banck Cc: Jelte Fennema-Nio , PostgreSQL Hackers Content-Type: text/plain; charset="UTF-8" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Mon, 18 Nov 2024 at 11:26, Kirill Reshke wrote: > > On Fri, 1 Nov 2024 at 02:47, Michael Banck wrote: > > > > Hi, > > > > Even though there has not been a lot of discussion on this, here is a > > rebased patch. I have also added it to the upcoming commitfest. > > > Hi! > > > + pg_manage_extensions allows creating, removing or > > + updating extensions, even if the extensions are untrusted or the user is > > + not the database owner. > > Users are not required to be a database owner to create extensions. > They are required to have CREATE priv on database. > > > On Sat, Jan 13, 2024 at 09:20:40AM +0100, Michael Banck wrote: > > > On Fri, Jan 12, 2024 at 04:13:27PM +0100, Jelte Fennema-Nio wrote: > > > > But I'm not sure that such a pg_manage_extensions role would have any > > > > fewer permissions than superuser in practice. > > > > > > Note that just being able to create an extension does not give blanket > > > permission to use it. I did a few checks with things I thought might be > > > problematic like adminpack or plpython3u, and a pg_manage_extensions > > > user is not allowed to call those functions or use the untrusted > > > language. > > > > > > > Afaik many extensions that are not marked as trusted, are not trusted > > > > because they would allow fairly trivial privilege escalation to > > > > superuser if they were. > > > > > > While that might be true (or we err on the side of caution), I thought > > > the rationale was more that they either disclose more information about > > > the database server than we want to disclose to ordinary users, or that > > > they allow access to the file system etc. > > Extension installation script can execute arbitrary code with > superuser privilege if markled trusted. > > Take this example > > ``` > > reshke@yezzey-cbdb:~/postgres/contrib/fooe$ cat fooe.control > # fooe extnesion > comment = 'foo bar baz' > default_version = '1.0' > module_pathname = '$libdir/fooe' > relocatable = true > trusted = true > reshke@yezzey-cbdb:~/postgres/contrib/fooe$ cat fooe--1.0.sql > /* contrib/fooe/fooe--1.0.sql */ > > -- complain if script is sourced in psql, rather than via CREATE EXTENSION > \echo Use "CREATE EXTENSION fooe" to load this file. \quit > > > CREATE ROLE pwned WITH LOGIN SUPERUSER; > > reshke@yezzey-cbdb:~/postgres/contrib/fooe$ ../../pgbin/bin/psql -d db2 > db2=# create role user_no_sup with login; > CREATE ROLE > db2=# ^C > \q > I'm sorry, the example is incomplete. Here is missing command: db2=# grant create on database db2 to user_no_sup ; GRANT > reshke@yezzey-cbdb:~/postgres/contrib/fooe$ ../../pgbin/bin/psql -U > user_no_sup -d db2 > psql (18devel) > Type "help" for help. > > db2=> create extension fooe ; > CREATE EXTENSION > db2=> \du+ > List of roles > Role name | Attributes > | Description > -------------+------------------------------------------------------------+------------- > pwned | Superuser | > reshke | Superuser, Create role, Create DB, Replication, Bypass RLS | > user1 | | > user2 | | > user_no_sup | | > > db2=> ^C > > ``` > > > > > I think if we have extensions in contrib that trivially allow > > > non-superusers to become superusers just by being installed, that should > > > be a bug and be fixed by making it impossible for ordinary users to > > > use those extensions without being granted some access to them in > > > addition. > > > > > > After all, socially engineering a DBA into installing an extension due > > > to user demand would be a thing anyway (even if most DBAs might reject > > > it) and at least DBAs should be aware of the specific risks of a > > > particular extension probably? > > > > > > Michael > > > In general, this concept is rather dubious. Why should we have such a > dangerous pre-defined role? I would prefer to have complete control > over what gets installed in the database if I were a superuser. > Additionally, if a dangerous extension is inadvertently or otherwise > loaded on the host, I never want a normal user to run code with > superuser privileges. > > For a thorough understanding of the current situation and the > rationale behind the design, you can read this[1] discussion. > > > [1] https://www.postgresql.org/message-id/5889.1566415762%40sss.pgh.pa.us > > -- > Best regards, > Kirill Reshke -- Best regards, Kirill Reshke