On 19 July 2018 at 08:23, Stephen Frost <sfr...@snowman.net> wrote:
> Greetings,
>
> * Craig Ringer (cr...@2ndquadrant.com) wrote:
> > Untrusted PLs should be GRANTable with a NOTICE or WARNING telling the
> > admin that GRANTing an untrusted PL effectively gives the user the
> ability
> > to escape to superuser.
>
> I don't know that we really want to get into the business of issuing a
> NOTICE or WARNING in such cases. We don't do that in a lot of other
> cases where non-superusers can be GRANT'd access which would allow them
> to become a superuser and if we start doing it now then we're going to
> need to go back and change the existing places to have such NOTICE or
> WARNING, or we'll be inconsistent about it, which would be worse. I
> also worry that we'd start wanting to have NOTICEs for when we are
> allowing users to GRANT roles (like pg_monitor) that might get access to
> data that isn't obvious, even if they aren't able to become a superuser
> and it just gets ugly.
>
>
Good point.
I was mostly trying to anticipate concerns about people unwittingly
granting access to untrusted languages.
But hey, if you're using GRANT you should know what it means.
Alternately,
GRANT USAGE ON [UNTRUSTED] LANGUAGE plpythonu;
and if you don't write UNTRUSTED we emit the existing error?
It at least means people have to think about it and recognise the
difference.
Not really convinced it's worth the hassle, but the "u" suffix isn't what
you'd call clearly a self-documenting warning of superuser-equivalent
rights either.
--
Craig Ringer http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
