subject:"Re\: \[PATCH v2\] use has_privs_for

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-04-04 Thread Robert Haas

On Sat, Apr 2, 2022 at 1:32 PM Joe Conway  wrote:
> I saw that Robert added documentation and it already reads correctly I
> believe, except possibly an unrelated issue:
>
> 8<--
>   
>A role which replication whose privileges users are required to
> possess
>in order to make use of the shell backup target.
>If this is not set, any replication user may make use of the
>shell backup target.
>   
> 8<--
>
> Robert, should that actually be:
>   s/role which replication/role with replication/

Oh, good catch. Actually shouldn't "with replication" just be deleted?

Or maybe it needs to be reworded more, for clarity: "Replication users
must possess the privileges of this role in order to ..."

-- 
Robert Haas
EDB: http://www.enterprisedb.com

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-04-02 Thread Joe Conway


On 3/28/22 15:56, Robert Haas wrote:

On Mon, Mar 21, 2022 at 4:15 PM Joe Conway  wrote:

Robert -- any opinion on this? If I am not mistaken it is code that you
are actively working on.


Woops, I only just saw this. I don't mind if you want to change the
calls to is_member_of_role() in basebackup_server.c and
basebackup_to_shell.c to has_privs_of_role().


Done as originally posted.

On that last note, I did not find basebackup_to_shell.required_role 
documented at all, and did not attempt to fix that.


I saw that Robert added documentation and it already reads correctly I 
believe, except possibly an unrelated issue:


8<--
 
  A role which replication whose privileges users are required to 
possess

  in order to make use of the shell backup target.
  If this is not set, any replication user may make use of the
  shell backup target.
 
8<--

Robert, should that actually be:
 s/role which replication/role with replication/
?

Joe

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-03-28 Thread Joe Conway


On 3/28/22 15:56, Robert Haas wrote:

On Mon, Mar 21, 2022 at 4:15 PM Joe Conway  wrote:

Robert -- any opinion on this? If I am not mistaken it is code that you
are actively working on.


Woops, I only just saw this. I don't mind if you want to change the
calls to is_member_of_role() in basebackup_server.c and
basebackup_to_shell.c to has_privs_of_role().


No worries -- I will take care of that shortly.


However, it's not clear to me why it's different than the calls we
have in other places, like calculate_database_size() and the
relatively widely-used check_is_member_of_role().


I will have to go refresh my memory, but when I looked at those sites 
closely it all made sense to me.


I think most if not all of them were checking for the ability to switch 
to the other role, not actually checking for privileges by virtue of 
belonging to that role.



As long as we have a bunch of different practices in different parts
of the code base I can't see people getting this right consistently
... leaving aside any possible disagreement about which way is
"right".
When I take the next pass I can consider whether additional comments 
will help and report back.


Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-03-28 Thread Robert Haas

On Mon, Mar 21, 2022 at 4:15 PM Joe Conway  wrote:
> Robert -- any opinion on this? If I am not mistaken it is code that you
> are actively working on.

Woops, I only just saw this. I don't mind if you want to change the
calls to is_member_of_role() in basebackup_server.c and
basebackup_to_shell.c to has_privs_of_role(). However, it's not clear
to me why it's different than the calls we have in other places, like
calculate_database_size() and the relatively widely-used
check_is_member_of_role(). As long as we have a bunch of different
practices in different parts of the code base I can't see people
getting this right consistently ... leaving aside any possible
disagreement about which way is "right".

-- 
Robert Haas
EDB: http://www.enterprisedb.com

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-03-28 Thread Joe Conway

On 3/21/22 16:15, Joe Conway wrote:

On 3/20/22 12:38, Stephen Frost wrote:

Greetings,

On Sun, Mar 20, 2022 at 18:31 Joshua Brindle 
mailto:joshua.brin...@crunchydata.com>> 
wrote:

On Sun, Mar 20, 2022 at 12:27 PM Joe Conway mailto:m...@joeconway.com>> wrote:
 >
 > On 3/3/22 11:26, Joshua Brindle wrote:
 > > On Thu, Feb 10, 2022 at 2:37 PM Joe Conway mailto:m...@joeconway.com>> wrote:
 > >>
 > >> On 2/10/22 14:28, Nathan Bossart wrote:
 > >> > On Wed, Feb 09, 2022 at 04:39:11PM -0500, Joe Conway wrote:
 > >> >> On 2/9/22 13:13, Nathan Bossart wrote:
 > >> >>> I do wonder if users find the differences between
predefined roles and role
 > >> >>> attributes confusing.  INHERIT doesn't govern role
attributes, but it will
 > >> >>> govern predefined roles when this patch is applied.  Maybe
the role
 > >> >>> attribute system should eventually be deprecated in favor
of using
 > >> >>> predefined roles for everything.  Or perhaps the
predefined roles should be
 > >> >>> converted to role attributes.
 > >> >>
 > >> >> Yep, I was suggesting that the latter would have been
preferable to me while
 > >> >> Robert seemed to prefer the former. Honestly I could be
happy with either of
 > >> >> those solutions, but as I alluded to that is probably a
discussion for the
 > >> >> next development cycle since I don't see us doing that big
a change in this
 > >> >> one.
 > >> >
 > >> > I agree.  I still think Joshua's proposed patch is a
worthwhile improvement
 > >> > for v15.
 > >>
 > >> +1
 > >>
 > >> I am planning to get into it in detail this weekend. So far I have
 > >> really just ensured it merges cleanly and passes make world.
 > >
 > > Rebased patch to apply to master attached.
 >
 > Well longer than I planned, but finally took a closer look.
 >
 > I made one minor editorial fix to Joshua's patch, rebased to current
 > master, and added two missing call sites that presumably are
related to
 > recent commits for pg_basebackup.

FWIW I pinged Stephen when I saw the basebackup changes included
is_member_of and he didn't think they necessarily needed to be changed
since they aren't accessible to human and you can't SET ROLE on a
replication connection in order to access the role where inheritance
was blocked.

Yeah, though that should really be very clearly explained in comments 
around that code as anything that uses is_member should really be viewed 
as an exception.  I also wouldn’t be against using has_privs there 
anyway and saying that you shouldn’t be trying to connect as one role on 
a replication connection and using the privs of another when you don’t 
automatically inherit those rights, but on the assumption that the 
committer intended is_member there because SET ROLE isn’t something one 
does on replication connections, I’m alright with it being as is.

Robert -- any opinion on this? If I am not mistaken it is code that you
are actively working on.

Lacking any feedback from Robert, I removed my changes related to 
basebackup and pushed Joshua's patch with one minor editorial fix. What 
to do with the basebackup changes can go on the open items list for pg15 
I guess.

Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-03-21 Thread Joe Conway

On 3/20/22 12:38, Stephen Frost wrote:

Greetings,

On Sun, Mar 20, 2022 at 18:31 Joshua Brindle 
mailto:joshua.brin...@crunchydata.com>> 
wrote:

On Sun, Mar 20, 2022 at 12:27 PM Joe Conway mailto:m...@joeconway.com>> wrote:
 >
 > On 3/3/22 11:26, Joshua Brindle wrote:
 > > On Thu, Feb 10, 2022 at 2:37 PM Joe Conway mailto:m...@joeconway.com>> wrote:
 > >>
 > >> On 2/10/22 14:28, Nathan Bossart wrote:
 > >> > On Wed, Feb 09, 2022 at 04:39:11PM -0500, Joe Conway wrote:
 > >> >> On 2/9/22 13:13, Nathan Bossart wrote:
 > >> >>> I do wonder if users find the differences between
predefined roles and role
 > >> >>> attributes confusing.  INHERIT doesn't govern role
attributes, but it will
 > >> >>> govern predefined roles when this patch is applied.  Maybe
the role
 > >> >>> attribute system should eventually be deprecated in favor
of using
 > >> >>> predefined roles for everything.  Or perhaps the
predefined roles should be
 > >> >>> converted to role attributes.
 > >> >>
 > >> >> Yep, I was suggesting that the latter would have been
preferable to me while
 > >> >> Robert seemed to prefer the former. Honestly I could be
happy with either of
 > >> >> those solutions, but as I alluded to that is probably a
discussion for the
 > >> >> next development cycle since I don't see us doing that big
a change in this
 > >> >> one.
 > >> >
 > >> > I agree.  I still think Joshua's proposed patch is a
worthwhile improvement
 > >> > for v15.
 > >>
 > >> +1
 > >>
 > >> I am planning to get into it in detail this weekend. So far I have
 > >> really just ensured it merges cleanly and passes make world.
 > >
 > > Rebased patch to apply to master attached.
 >
 > Well longer than I planned, but finally took a closer look.
 >
 > I made one minor editorial fix to Joshua's patch, rebased to current
 > master, and added two missing call sites that presumably are
related to
 > recent commits for pg_basebackup.

FWIW I pinged Stephen when I saw the basebackup changes included
is_member_of and he didn't think they necessarily needed to be changed
since they aren't accessible to human and you can't SET ROLE on a
replication connection in order to access the role where inheritance
was blocked.

Yeah, though that should really be very clearly explained in comments 
around that code as anything that uses is_member should really be viewed 
as an exception.  I also wouldn’t be against using has_privs there 
anyway and saying that you shouldn’t be trying to connect as one role on 
a replication connection and using the privs of another when you don’t 
automatically inherit those rights, but on the assumption that the 
committer intended is_member there because SET ROLE isn’t something one 
does on replication connections, I’m alright with it being as is.

Robert -- any opinion on this? If I am not mistaken it is code that you 
are actively working on.

Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-03-20 Thread Stephen Frost

Greetings,

On Sun, Mar 20, 2022 at 18:31 Joshua Brindle 
wrote:

> On Sun, Mar 20, 2022 at 12:27 PM Joe Conway  wrote:
> >
> > On 3/3/22 11:26, Joshua Brindle wrote:
> > > On Thu, Feb 10, 2022 at 2:37 PM Joe Conway  wrote:
> > >>
> > >> On 2/10/22 14:28, Nathan Bossart wrote:
> > >> > On Wed, Feb 09, 2022 at 04:39:11PM -0500, Joe Conway wrote:
> > >> >> On 2/9/22 13:13, Nathan Bossart wrote:
> > >> >>> I do wonder if users find the differences between predefined
> roles and role
> > >> >>> attributes confusing.  INHERIT doesn't govern role attributes,
> but it will
> > >> >>> govern predefined roles when this patch is applied.  Maybe the
> role
> > >> >>> attribute system should eventually be deprecated in favor of using
> > >> >>> predefined roles for everything.  Or perhaps the predefined roles
> should be
> > >> >>> converted to role attributes.
> > >> >>
> > >> >> Yep, I was suggesting that the latter would have been preferable
> to me while
> > >> >> Robert seemed to prefer the former. Honestly I could be happy with
> either of
> > >> >> those solutions, but as I alluded to that is probably a discussion
> for the
> > >> >> next development cycle since I don't see us doing that big a
> change in this
> > >> >> one.
> > >> >
> > >> > I agree.  I still think Joshua's proposed patch is a worthwhile
> improvement
> > >> > for v15.
> > >>
> > >> +1
> > >>
> > >> I am planning to get into it in detail this weekend. So far I have
> > >> really just ensured it merges cleanly and passes make world.
> > >
> > > Rebased patch to apply to master attached.
> >
> > Well longer than I planned, but finally took a closer look.
> >
> > I made one minor editorial fix to Joshua's patch, rebased to current
> > master, and added two missing call sites that presumably are related to
> > recent commits for pg_basebackup.
>
> FWIW I pinged Stephen when I saw the basebackup changes included
> is_member_of and he didn't think they necessarily needed to be changed
> since they aren't accessible to human and you can't SET ROLE on a
> replication connection in order to access the role where inheritance
> was blocked.


Yeah, though that should really be very clearly explained in comments
around that code as anything that uses is_member should really be viewed as
an exception.  I also wouldn’t be against using has_privs there anyway and
saying that you shouldn’t be trying to connect as one role on a replication
connection and using the privs of another when you don’t automatically
inherit those rights, but on the assumption that the committer intended
is_member there because SET ROLE isn’t something one does on replication
connections, I’m alright with it being as is.

Kind Regards,

Stephen P Frost

>

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-03-20 Thread Joshua Brindle

On Sun, Mar 20, 2022 at 12:34 PM Joe Conway  wrote:
>
> On 3/20/22 12:31, Joshua Brindle wrote:
> > On Sun, Mar 20, 2022 at 12:27 PM Joe Conway  wrote:
> >>
> >> On 3/3/22 11:26, Joshua Brindle wrote:
> >> > On Thu, Feb 10, 2022 at 2:37 PM Joe Conway  wrote:
> >> >>
> >> >> On 2/10/22 14:28, Nathan Bossart wrote:
> >> >> > On Wed, Feb 09, 2022 at 04:39:11PM -0500, Joe Conway wrote:
> >> >> >> On 2/9/22 13:13, Nathan Bossart wrote:
> >> >> >>> I do wonder if users find the differences between predefined roles 
> >> >> >>> and role
> >> >> >>> attributes confusing.  INHERIT doesn't govern role attributes, but 
> >> >> >>> it will
> >> >> >>> govern predefined roles when this patch is applied.  Maybe the role
> >> >> >>> attribute system should eventually be deprecated in favor of using
> >> >> >>> predefined roles for everything.  Or perhaps the predefined roles 
> >> >> >>> should be
> >> >> >>> converted to role attributes.
> >> >> >>
> >> >> >> Yep, I was suggesting that the latter would have been preferable to 
> >> >> >> me while
> >> >> >> Robert seemed to prefer the former. Honestly I could be happy with 
> >> >> >> either of
> >> >> >> those solutions, but as I alluded to that is probably a discussion 
> >> >> >> for the
> >> >> >> next development cycle since I don't see us doing that big a change 
> >> >> >> in this
> >> >> >> one.
> >> >> >
> >> >> > I agree.  I still think Joshua's proposed patch is a worthwhile 
> >> >> > improvement
> >> >> > for v15.
> >> >>
> >> >> +1
> >> >>
> >> >> I am planning to get into it in detail this weekend. So far I have
> >> >> really just ensured it merges cleanly and passes make world.
> >> >
> >> > Rebased patch to apply to master attached.
> >>
> >> Well longer than I planned, but finally took a closer look.
> >>
> >> I made one minor editorial fix to Joshua's patch, rebased to current
> >> master, and added two missing call sites that presumably are related to
> >> recent commits for pg_basebackup.
> >
> > FWIW I pinged Stephen when I saw the basebackup changes included
> > is_member_of and he didn't think they necessarily needed to be changed
> > since they aren't accessible to human and you can't SET ROLE on a
> > replication connection in order to access the role where inheritance
> > was blocked.
>
> Maybe worth a discussion, but it seems strange to me to treat them
> differently when the whole purpose of this patch is to make things
> consistent ¯\_(ツ)_/¯
>

I don't have a strong opinion either way, just noting that it's a
possible exception area due to how it is used.

Thanks for committing this.

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-03-20 Thread Joe Conway


On 3/20/22 12:31, Joshua Brindle wrote:

On Sun, Mar 20, 2022 at 12:27 PM Joe Conway  wrote:


On 3/3/22 11:26, Joshua Brindle wrote:
> On Thu, Feb 10, 2022 at 2:37 PM Joe Conway  wrote:
>>
>> On 2/10/22 14:28, Nathan Bossart wrote:
>> > On Wed, Feb 09, 2022 at 04:39:11PM -0500, Joe Conway wrote:
>> >> On 2/9/22 13:13, Nathan Bossart wrote:
>> >>> I do wonder if users find the differences between predefined roles and 
role
>> >>> attributes confusing.  INHERIT doesn't govern role attributes, but it 
will
>> >>> govern predefined roles when this patch is applied.  Maybe the role
>> >>> attribute system should eventually be deprecated in favor of using
>> >>> predefined roles for everything.  Or perhaps the predefined roles should 
be
>> >>> converted to role attributes.
>> >>
>> >> Yep, I was suggesting that the latter would have been preferable to me 
while
>> >> Robert seemed to prefer the former. Honestly I could be happy with either 
of
>> >> those solutions, but as I alluded to that is probably a discussion for the
>> >> next development cycle since I don't see us doing that big a change in 
this
>> >> one.
>> >
>> > I agree.  I still think Joshua's proposed patch is a worthwhile improvement
>> > for v15.
>>
>> +1
>>
>> I am planning to get into it in detail this weekend. So far I have
>> really just ensured it merges cleanly and passes make world.
>
> Rebased patch to apply to master attached.

Well longer than I planned, but finally took a closer look.

I made one minor editorial fix to Joshua's patch, rebased to current
master, and added two missing call sites that presumably are related to
recent commits for pg_basebackup.


FWIW I pinged Stephen when I saw the basebackup changes included
is_member_of and he didn't think they necessarily needed to be changed
since they aren't accessible to human and you can't SET ROLE on a
replication connection in order to access the role where inheritance
was blocked.


Maybe worth a discussion, but it seems strange to me to treat them 
differently when the whole purpose of this patch is to make things 
consistent ¯\_(ツ)_/¯


Joe

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-03-20 Thread Joshua Brindle

On Sun, Mar 20, 2022 at 12:27 PM Joe Conway  wrote:
>
> On 3/3/22 11:26, Joshua Brindle wrote:
> > On Thu, Feb 10, 2022 at 2:37 PM Joe Conway  wrote:
> >>
> >> On 2/10/22 14:28, Nathan Bossart wrote:
> >> > On Wed, Feb 09, 2022 at 04:39:11PM -0500, Joe Conway wrote:
> >> >> On 2/9/22 13:13, Nathan Bossart wrote:
> >> >>> I do wonder if users find the differences between predefined roles and 
> >> >>> role
> >> >>> attributes confusing.  INHERIT doesn't govern role attributes, but it 
> >> >>> will
> >> >>> govern predefined roles when this patch is applied.  Maybe the role
> >> >>> attribute system should eventually be deprecated in favor of using
> >> >>> predefined roles for everything.  Or perhaps the predefined roles 
> >> >>> should be
> >> >>> converted to role attributes.
> >> >>
> >> >> Yep, I was suggesting that the latter would have been preferable to me 
> >> >> while
> >> >> Robert seemed to prefer the former. Honestly I could be happy with 
> >> >> either of
> >> >> those solutions, but as I alluded to that is probably a discussion for 
> >> >> the
> >> >> next development cycle since I don't see us doing that big a change in 
> >> >> this
> >> >> one.
> >> >
> >> > I agree.  I still think Joshua's proposed patch is a worthwhile 
> >> > improvement
> >> > for v15.
> >>
> >> +1
> >>
> >> I am planning to get into it in detail this weekend. So far I have
> >> really just ensured it merges cleanly and passes make world.
> >
> > Rebased patch to apply to master attached.
>
> Well longer than I planned, but finally took a closer look.
>
> I made one minor editorial fix to Joshua's patch, rebased to current
> master, and added two missing call sites that presumably are related to
> recent commits for pg_basebackup.

FWIW I pinged Stephen when I saw the basebackup changes included
is_member_of and he didn't think they necessarily needed to be changed
since they aren't accessible to human and you can't SET ROLE on a
replication connection in order to access the role where inheritance
was blocked.

> On that last note, I did not find basebackup_to_shell.required_role
> documented at all, and did not attempt to fix that.
>
> When this thread petered out, it seemed that Robert was at least neutral
> on the patch, and everyone else was +1 on applying it to master for pg15.
>
> As such, if there are any other issues, complaints, etc., please speak
> real soon now...
>
> Thanks,
>
> Joe

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-03-20 Thread Joe Conway

On 3/3/22 11:26, Joshua Brindle wrote:

On Thu, Feb 10, 2022 at 2:37 PM Joe Conway  wrote:

On 2/10/22 14:28, Nathan Bossart wrote:
> On Wed, Feb 09, 2022 at 04:39:11PM -0500, Joe Conway wrote:
>> On 2/9/22 13:13, Nathan Bossart wrote:
>>> I do wonder if users find the differences between predefined roles and role
>>> attributes confusing.  INHERIT doesn't govern role attributes, but it will
>>> govern predefined roles when this patch is applied.  Maybe the role
>>> attribute system should eventually be deprecated in favor of using
>>> predefined roles for everything.  Or perhaps the predefined roles should be
>>> converted to role attributes.
>>
>> Yep, I was suggesting that the latter would have been preferable to me while
>> Robert seemed to prefer the former. Honestly I could be happy with either of
>> those solutions, but as I alluded to that is probably a discussion for the
>> next development cycle since I don't see us doing that big a change in this
>> one.
>
> I agree.  I still think Joshua's proposed patch is a worthwhile improvement
> for v15.

+1

I am planning to get into it in detail this weekend. So far I have
really just ensured it merges cleanly and passes make world.

Rebased patch to apply to master attached.

Well longer than I planned, but finally took a closer look.

I made one minor editorial fix to Joshua's patch, rebased to current 
master, and added two missing call sites that presumably are related to 
recent commits for pg_basebackup.

On that last note, I did not find basebackup_to_shell.required_role 
documented at all, and did not attempt to fix that.

When this thread petered out, it seemed that Robert was at least neutral 
on the patch, and everyone else was +1 on applying it to master for pg15.

As such, if there are any other issues, complaints, etc., please speak 
real soon now...

Thanks,

JoeUse has_privs_for_roles for predefined role checks

Generally if a role is granted membership to another role with NOINHERIT they must use SET ROLE to access the privileges of that role, however with predefined roles the membership and privilege is conflated. Fix that by replacing is_member_of_role with has_privs_for_role for predefined roles. Patch does not remove is_member_of_role from acl.h, but it does add a warning not to use that function for privilege checking. Not backpatched based on hackers list discussion.

Author: Joshua Brindle
Reviewed-by: Stephen Frost, Nathan Bossart, Joe Conway
Discussion: https://postgr.es/m/flat/cagb+vh4zv_tvkt2tv3qns6tum_f_9icmuj0zjywwcgvi4pa...@mail.gmail.com

diff --git a/contrib/adminpack/adminpack.c b/contrib/adminpack/adminpack.c
index d7d84d0..03addf1 100644
*** a/contrib/adminpack/adminpack.c
--- b/contrib/adminpack/adminpack.c
*** convert_and_check_filename(text *arg)
*** 79,85 
  	 * files on the server as the PG user, so no need to do any further checks
  	 * here.
  	 */
! 	if (is_member_of_role(GetUserId(), ROLE_PG_WRITE_SERVER_FILES))
  		return filename;

  	/*
--- 79,85 
  	 * files on the server as the PG user, so no need to do any further checks
  	 * here.
  	 */
! 	if (has_privs_of_role(GetUserId(), ROLE_PG_WRITE_SERVER_FILES))
  		return filename;

  	/*
diff --git a/contrib/basebackup_to_shell/basebackup_to_shell.c b/contrib/basebackup_to_shell/basebackup_to_shell.c
index d82cb6d..f0ddef1 100644
*** a/contrib/basebackup_to_shell/basebackup_to_shell.c
--- b/contrib/basebackup_to_shell/basebackup_to_shell.c
*** _PG_init(void)
*** 90,96 
  }

  /*
!  * We choose to defer sanity sanity checking until shell_get_sink(), and so
   * just pass the target detail through without doing anything. However, we do
   * permissions checks here, before any real work has been done.
   */
--- 90,96 
  }

  /*
!  * We choose to defer sanity checking until shell_get_sink(), and so
   * just pass the target detail through without doing anything. However, we do
   * permissions checks here, before any real work has been done.
   */
*** shell_check_detail(char *target, char *t
*** 103,109 

  		StartTransactionCommand();
  		roleid = get_role_oid(shell_required_role, true);
! 		if (!is_member_of_role(GetUserId(), roleid))
  			ereport(ERROR,
  	(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
  	 errmsg("permission denied to use basebackup_to_shell")));
--- 103,109 

  		StartTransactionCommand();
  		roleid = get_role_oid(shell_required_role, true);
! 		if (!has_privs_of_role(GetUserId(), roleid))
  			ereport(ERROR,
  	(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
  	 errmsg("permission denied to use basebackup_to_shell")));
diff --git a/contrib/file_fdw/expected/file_fdw.out b/contrib/file_fdw/expected/file_fdw.out
index 0ac6e4e..14acdb2 100644
*** a/contrib/file_fdw/expected/file_fdw.out
--- b/contrib/file_fdw/expected/file_fdw.out
*** ALTER FOREIGN TABLE agg_text OWNER TO re
*** 459,465 
  ALTER FOREIGN TABLE agg_text OPTIONS (SET format

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-03-03 Thread Joshua Brindle

On Thu, Feb 10, 2022 at 2:37 PM Joe Conway  wrote:
>
> On 2/10/22 14:28, Nathan Bossart wrote:
> > On Wed, Feb 09, 2022 at 04:39:11PM -0500, Joe Conway wrote:
> >> On 2/9/22 13:13, Nathan Bossart wrote:
> >>> I do wonder if users find the differences between predefined roles and 
> >>> role
> >>> attributes confusing.  INHERIT doesn't govern role attributes, but it will
> >>> govern predefined roles when this patch is applied.  Maybe the role
> >>> attribute system should eventually be deprecated in favor of using
> >>> predefined roles for everything.  Or perhaps the predefined roles should 
> >>> be
> >>> converted to role attributes.
> >>
> >> Yep, I was suggesting that the latter would have been preferable to me 
> >> while
> >> Robert seemed to prefer the former. Honestly I could be happy with either 
> >> of
> >> those solutions, but as I alluded to that is probably a discussion for the
> >> next development cycle since I don't see us doing that big a change in this
> >> one.
> >
> > I agree.  I still think Joshua's proposed patch is a worthwhile improvement
> > for v15.
>
> +1
>
> I am planning to get into it in detail this weekend. So far I have
> really just ensured it merges cleanly and passes make world.
>

Rebased patch to apply to master attached.


v5-0001-use-has_privs_for_roles-for-predefined-role-checks.patch
Description: Binary data

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-02-10 Thread Joe Conway


On 2/10/22 14:28, Nathan Bossart wrote:

On Wed, Feb 09, 2022 at 04:39:11PM -0500, Joe Conway wrote:

On 2/9/22 13:13, Nathan Bossart wrote:

I do wonder if users find the differences between predefined roles and role
attributes confusing.  INHERIT doesn't govern role attributes, but it will
govern predefined roles when this patch is applied.  Maybe the role
attribute system should eventually be deprecated in favor of using
predefined roles for everything.  Or perhaps the predefined roles should be
converted to role attributes.


Yep, I was suggesting that the latter would have been preferable to me while
Robert seemed to prefer the former. Honestly I could be happy with either of
those solutions, but as I alluded to that is probably a discussion for the
next development cycle since I don't see us doing that big a change in this
one.


I agree.  I still think Joshua's proposed patch is a worthwhile improvement
for v15.


+1

I am planning to get into it in detail this weekend. So far I have 
really just ensured it merges cleanly and passes make world.


Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-02-10 Thread Nathan Bossart

On Wed, Feb 09, 2022 at 04:39:11PM -0500, Joe Conway wrote:
> On 2/9/22 13:13, Nathan Bossart wrote:
>> I do wonder if users find the differences between predefined roles and role
>> attributes confusing.  INHERIT doesn't govern role attributes, but it will
>> govern predefined roles when this patch is applied.  Maybe the role
>> attribute system should eventually be deprecated in favor of using
>> predefined roles for everything.  Or perhaps the predefined roles should be
>> converted to role attributes.
> 
> Yep, I was suggesting that the latter would have been preferable to me while
> Robert seemed to prefer the former. Honestly I could be happy with either of
> those solutions, but as I alluded to that is probably a discussion for the
> next development cycle since I don't see us doing that big a change in this
> one.

I agree.  I still think Joshua's proposed patch is a worthwhile improvement
for v15.

-- 
Nathan Bossart
Amazon Web Services: https://aws.amazon.com

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-02-09 Thread Joshua Brindle

On Wed, Feb 9, 2022 at 3:58 PM Robert Haas  wrote:
>
> On Wed, Feb 9, 2022 at 1:13 PM Nathan Bossart  
> wrote:
> > I do wonder if users find the differences between predefined roles and role
> > attributes confusing.  INHERIT doesn't govern role attributes, but it will
> > govern predefined roles when this patch is applied.  Maybe the role
> > attribute system should eventually be deprecated in favor of using
> > predefined roles for everything.  Or perhaps the predefined roles should be
> > converted to role attributes.
>
> I couldn't agree more. Apparently it's even confusing to developers,
> because otherwise (1) we wouldn't have the problem the patch proposes
> to fix in the first place and (2) I would have immediately been
> convinced of the value of the patch once it showed up. Since those
> things didn't happen, this is apparently confusing to (1) whoever
> wrote the code that this patch fixes and (2) me.
>

My original patch removed is_member_of to address #1 above, but that
was rejected[1]. There is now a warning in the header beside it to
hopefully dissuade improper usage going forward.

1. https://www.postgresql.org/message-id/254275.1635357633%40sss.pgh.pa.us

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-02-09 Thread Joe Conway


On 2/9/22 13:13, Nathan Bossart wrote:

On Tue, Feb 08, 2022 at 10:54:50PM -0500, Robert Haas wrote:

On Tue, Feb 8, 2022 at 7:38 PM Joe Conway  wrote:

If we were to start all over again with this feature my vote would be to
do things differently than we have done. I would not have called them
predefined roles, and I would have used attributes of roles (e.g. make
rolsuper into a bitmap rather than a boolean) rather than role
membership to implement them. But I didn't find time to participate in
the original discussion or review/write the code, so I have little room
to complain.


Yep, fair. I kind of like the predefined role concept myself. I find
it sort of elegant, mostly because I think it scales better than a
bitmask, which can run out of bits surprisingly rapidly. But opinions
can vary, of course.


I do wonder if users find the differences between predefined roles and role
attributes confusing.  INHERIT doesn't govern role attributes, but it will
govern predefined roles when this patch is applied.  Maybe the role
attribute system should eventually be deprecated in favor of using
predefined roles for everything.  Or perhaps the predefined roles should be
converted to role attributes.


Yep, I was suggesting that the latter would have been preferable to me 
while Robert seemed to prefer the former. Honestly I could be happy with 
either of those solutions, but as I alluded to that is probably a 
discussion for the next development cycle since I don't see us doing 
that big a change in this one.


Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-02-09 Thread Robert Haas

On Wed, Feb 9, 2022 at 1:13 PM Nathan Bossart  wrote:
> I do wonder if users find the differences between predefined roles and role
> attributes confusing.  INHERIT doesn't govern role attributes, but it will
> govern predefined roles when this patch is applied.  Maybe the role
> attribute system should eventually be deprecated in favor of using
> predefined roles for everything.  Or perhaps the predefined roles should be
> converted to role attributes.

I couldn't agree more. Apparently it's even confusing to developers,
because otherwise (1) we wouldn't have the problem the patch proposes
to fix in the first place and (2) I would have immediately been
convinced of the value of the patch once it showed up. Since those
things didn't happen, this is apparently confusing to (1) whoever
wrote the code that this patch fixes and (2) me.

-- 
Robert Haas
EDB: http://www.enterprisedb.com

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-02-09 Thread Nathan Bossart

On Tue, Feb 08, 2022 at 10:54:50PM -0500, Robert Haas wrote:
> On Tue, Feb 8, 2022 at 7:38 PM Joe Conway  wrote:
>> If we were to start all over again with this feature my vote would be to
>> do things differently than we have done. I would not have called them
>> predefined roles, and I would have used attributes of roles (e.g. make
>> rolsuper into a bitmap rather than a boolean) rather than role
>> membership to implement them. But I didn't find time to participate in
>> the original discussion or review/write the code, so I have little room
>> to complain.
> 
> Yep, fair. I kind of like the predefined role concept myself. I find
> it sort of elegant, mostly because I think it scales better than a
> bitmask, which can run out of bits surprisingly rapidly. But opinions
> can vary, of course.

I do wonder if users find the differences between predefined roles and role
attributes confusing.  INHERIT doesn't govern role attributes, but it will
govern predefined roles when this patch is applied.  Maybe the role
attribute system should eventually be deprecated in favor of using
predefined roles for everything.  Or perhaps the predefined roles should be
converted to role attributes.

-- 
Nathan Bossart
Amazon Web Services: https://aws.amazon.com

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-02-08 Thread Robert Haas

On Tue, Feb 8, 2022 at 7:38 PM Joe Conway  wrote:
> If we were to start all over again with this feature my vote would be to
> do things differently than we have done. I would not have called them
> predefined roles, and I would have used attributes of roles (e.g. make
> rolsuper into a bitmap rather than a boolean) rather than role
> membership to implement them. But I didn't find time to participate in
> the original discussion or review/write the code, so I have little room
> to complain.

Yep, fair. I kind of like the predefined role concept myself. I find
it sort of elegant, mostly because I think it scales better than a
bitmask, which can run out of bits surprisingly rapidly. But opinions
can vary, of course.

> However since we did call these things predefined roles, and used role
> membership to implement them, I think they ought to behave both
> self-consistently as a group, and like other real roles.
>
> That is what this patch does unless I am missing something.

Yes, I see that.

> I guess an alternative is to discuss a "proper fix", but it seems to me
> that would be a version 16 thing given how late we are in this
> development cycle and how invasive it is likely to be. And doing nothing
> for pg15 is not a very satisfying proposition :-/

True. The fact that we don't have consistency among existing
predefined roles is IMHO the best argument for this patch. That surely
can't be right.

-- 
Robert Haas
EDB: http://www.enterprisedb.com

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-02-08 Thread Joe Conway


On 2/8/22 10:07, Robert Haas wrote:

On Tue, Feb 8, 2022 at 10:00 AM Joshua Brindle
 wrote:

4 predefined roles currently use has_privs_of_role in master.

Further, pg_monitor, as an SQL-only predefined role, also behaves
consistently with the INHERIT rules that other roles do.

In order for SQL-only predefined roles to ignore INHERIT we would need
to hardcode bypasses for them, which IMO seems like the worst possible
solution to the current inconsistency.


I agree we need to make the situation consistent. But if you think
there's exactly one problem here and this patch fixes it, I
emphatically disagree.



If we were to start all over again with this feature my vote would be to 
do things differently than we have done. I would not have called them 
predefined roles, and I would have used attributes of roles (e.g. make 
rolsuper into a bitmap rather than a boolean) rather than role 
membership to implement them. But I didn't find time to participate in 
the original discussion or review/write the code, so I have little room 
to complain.


However since we did call these things predefined roles, and used role 
membership to implement them, I think they ought to behave both 
self-consistently as a group, and like other real roles.


That is what this patch does unless I am missing something.

I guess an alternative is to discuss a "proper fix", but it seems to me 
that would be a version 16 thing given how late we are in this 
development cycle and how invasive it is likely to be. And doing nothing 
for pg15 is not a very satisfying proposition :-/


Joe


--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-02-08 Thread Robert Haas

On Tue, Feb 8, 2022 at 10:00 AM Joshua Brindle
 wrote:
> 4 predefined roles currently use has_privs_of_role in master.
>
> Further, pg_monitor, as an SQL-only predefined role, also behaves
> consistently with the INHERIT rules that other roles do.
>
> In order for SQL-only predefined roles to ignore INHERIT we would need
> to hardcode bypasses for them, which IMO seems like the worst possible
> solution to the current inconsistency.

I agree we need to make the situation consistent. But if you think
there's exactly one problem here and this patch fixes it, I
emphatically disagree.

-- 
Robert Haas
EDB: http://www.enterprisedb.com

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-02-08 Thread Joshua Brindle

On Tue, Feb 8, 2022 at 8:46 AM Robert Haas  wrote:
>
> On Tue, Feb 8, 2022 at 6:59 AM Joe Conway  wrote:
> > This is similar to bob's access to the default superuser privilege to
> > read data in someone else's table (must SET ROLE to access that capability).
> >
> > But it is different from bob's access to inherited privileges which are
> > GRANTed:
>
> Yeah. I think right here you've put your finger on what's been bugging
> me about this: it's similar to one thing, and it's different from
> another. To you and Joshua and Stephen, it seems 100% obvious that
> these roles should work like grants of other roles. But I think of
> them as capabilities derived from the superuser account, and so I'm
> sort of tempted to think that they should work the way the superuser
> bit does. And that's why I don't think the fact that they work the
> other way is "just a bug" -- it's one of two possible ways that
> someone could think that it ought to work based on how other things in
> the system actually do work.
>
> I'm not hard stuck on the idea that the current behavior is right, but
> I don't think that we can really say that we've made things fully
> consistent unless we make things like SUPERUSER and BYPASSRLS work the
> same way that you want to make predefined roles work. And probably do
> something about the INHERIT flag too because the current situation
> seems like a hot mess.

I think hot mess is an apt description of the current situation, for
example consider that:

src/backend/catalog/aclchk.c
3931: has_privs_of_role(roleid, ROLE_PG_READ_ALL_DATA))
3943: has_privs_of_role(roleid, ROLE_PG_WRITE_ALL_DATA))
4279: (has_privs_of_role(roleid, ROLE_PG_READ_ALL_DATA) ||
4280: has_privs_of_role(roleid, ROLE_PG_WRITE_ALL_DATA)))

src/backend/storage/ipc/signalfuncs.c
82: if (!has_privs_of_role(GetUserId(), proc->roleId) &&
83: !has_privs_of_role(GetUserId(), ROLE_PG_SIGNAL_BACKEND))

src/backend/storage/ipc/procarray.c
3843: if (!has_privs_of_role(GetUserId(), proc->roleId) &&
3844: !has_privs_of_role(GetUserId(), ROLE_PG_SIGNAL_BACKEND))

src/backend/tcop/utility.c
943: if (!has_privs_of_role(GetUserId(), ROLE_PG_CHECKPOINTER))

4 predefined roles currently use has_privs_of_role in master.

Further, pg_monitor, as an SQL-only predefined role, also behaves
consistently with the INHERIT rules that other roles do.

In order for SQL-only predefined roles to ignore INHERIT we would need
to hardcode bypasses for them, which IMO seems like the worst possible
solution to the current inconsistency.

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-02-08 Thread Robert Haas

On Tue, Feb 8, 2022 at 6:59 AM Joe Conway  wrote:
> This is similar to bob's access to the default superuser privilege to
> read data in someone else's table (must SET ROLE to access that capability).
>
> But it is different from bob's access to inherited privileges which are
> GRANTed:

Yeah. I think right here you've put your finger on what's been bugging
me about this: it's similar to one thing, and it's different from
another. To you and Joshua and Stephen, it seems 100% obvious that
these roles should work like grants of other roles. But I think of
them as capabilities derived from the superuser account, and so I'm
sort of tempted to think that they should work the way the superuser
bit does. And that's why I don't think the fact that they work the
other way is "just a bug" -- it's one of two possible ways that
someone could think that it ought to work based on how other things in
the system actually do work.

I'm not hard stuck on the idea that the current behavior is right, but
I don't think that we can really say that we've made things fully
consistent unless we make things like SUPERUSER and BYPASSRLS work the
same way that you want to make predefined roles work. And probably do
something about the INHERIT flag too because the current situation
seems like a hot mess.

-- 
Robert Haas
EDB: http://www.enterprisedb.com

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-02-08 Thread Joe Conway


On 2/7/22 12:09, Robert Haas wrote:

On Mon, Feb 7, 2022 at 11:13 AM Joe Conway  wrote:

It is confusing and IMHO dangerous that the predefined roles currently
work differently than regular roles eith respect to privilege inheritance.


I feel like that's kind of a conclusory statement, as opposed to
making an argument. I mean that this tells me something about how you
feel, but it doesn't really help me understand why you feel that way.



The argument is that we call these things "predefined roles", but they 
do not behave the same way normal "roles" behave.


Someone not intimately familiar with that fact could easily make bad 
assumptions, and therefore wind up with misconfigured security settings. 
In other words, it violates the principle of least astonishment (POLA).


As Joshua said nearby, it simply jumps out at me as a bug.

---
After more thought, perhaps the real problem is that these things should 
not have been called "predefined roles" at all. I know, the horse has 
already left the barn on that, but in any case...


They are (to me at least) similar in concept to Linux capabilities in 
that they allow roles other than superusers to do a certain subset of 
the things historically reserved for superusers through a special 
mechanism (hardcoded) rather than through the normal privilege system 
(GRANTS/ACLs).


As an example, the predefined role pg_read_all_settings allows a 
non-superuser to read GUC normally reserved for superuser access only.


If I create a new user "bob" with the default INHERIT attribute, and I 
grant postgres to bob, bob must SET ROLE to postgres in order to access 
the capability to read superuser settings.


This is similar to bob's access to the default superuser privilege to 
read data in someone else's table (must SET ROLE to access that capability).


But it is different from bob's access to inherited privileges which are 
GRANTed:

8<--
psql nmx
psql (15devel)
Type "help" for help.

nmx=# create user bob;
CREATE ROLE

nmx=# grant postgres to bob;
GRANT ROLE

nmx=# \q
8<--
-and-
8<--
psql -U bob nmx
psql (15devel)
Type "help" for help.

nmx=> select current_user;
 current_user
--
 bob
(1 row)

nmx=> show stats_temp_directory;
ERROR:  must be superuser or have privileges of pg_read_all_settings to 
examine "stats_temp_directory"

nmx=> set role postgres;
SET
nmx=# show stats_temp_directory;
 stats_temp_directory
--
 pg_stat_tmp
(1 row)

nmx=# select current_user;
 current_user
--
 postgres
(1 row)

nmx=# select * from foo;
 id

 42
(1 row)

nmx=# reset role;
RESET
nmx=> select current_user;
 current_user
--
 bob
(1 row)

nmx=> select * from foo;
ERROR:  permission denied for table foo
nmx=> set role postgres;
SET
nmx=# grant select on table foo to postgres;
GRANT
nmx=# reset role;
RESET
nmx=> select current_user;
 current_user
--
 bob
(1 row)

nmx=> select * from foo;
 id

 42
(1 row)
8<--

Joe

--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-02-07 Thread Joshua Brindle

On Mon, Feb 7, 2022 at 12:09 PM Robert Haas  wrote:
>
> On Mon, Feb 7, 2022 at 11:13 AM Joe Conway  wrote:
> > Easily worked around with one additional level of role:
>
> Interesting.
>
> > > But in the absence of that, it seems clearly better for predefined
> > > roles to disregard INHERIT and just always grant the rights they are
> > > intended to give. Because if we don't do that, then we end up with
> > > people having to SET ROLE to the predefined role and perform actions
> > > directly as that role, which seems like it can't be what we want. I
> > > almost feel like we ought to be looking for ways of preventing people
> > > from doing SET ROLE to a predefined role altogether, not encouraging
> > > them to do it.
> > I disagree with this though.
> >
> > It is confusing and IMHO dangerous that the predefined roles currently
> > work differently than regular roles eith respect to privilege inheritance.
>
> I feel like that's kind of a conclusory statement, as opposed to
> making an argument. I mean that this tells me something about how you
> feel, but it doesn't really help me understand why you feel that way.
>
> I suppose one argument in favor of your position is that if it
> happened to be sri who was granted a predefined role, sunita would
> inherit the rest of sr's privileges only with SET ROLE, but the
> predefined role either way (IIUC, which I might not). If that's so,
> then I guess I see the point, but I'm still sort of inclined to think
> we're just trading one set of problems in for a different set. I just
> have such a hard time imaging anyone using NOINHERIT in anger and
> being happy with the result
>

IMO this is inarguably a plain bug. The inheritance system works one
way for pre-defined roles and another way for other roles - and the
difference isn't even documented.

The question is whether there is a security issue warranting back
patching, which is a bit of a tossup I think. According to git history
it's always worked this way, and the possible breakage of pre-existing
clusters seems maybe not worth it.

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-02-07 Thread Robert Haas

On Mon, Feb 7, 2022 at 11:13 AM Joe Conway  wrote:
> Easily worked around with one additional level of role:

Interesting.

> > But in the absence of that, it seems clearly better for predefined
> > roles to disregard INHERIT and just always grant the rights they are
> > intended to give. Because if we don't do that, then we end up with
> > people having to SET ROLE to the predefined role and perform actions
> > directly as that role, which seems like it can't be what we want. I
> > almost feel like we ought to be looking for ways of preventing people
> > from doing SET ROLE to a predefined role altogether, not encouraging
> > them to do it.
> I disagree with this though.
>
> It is confusing and IMHO dangerous that the predefined roles currently
> work differently than regular roles eith respect to privilege inheritance.

I feel like that's kind of a conclusory statement, as opposed to
making an argument. I mean that this tells me something about how you
feel, but it doesn't really help me understand why you feel that way.

I suppose one argument in favor of your position is that if it
happened to be sri who was granted a predefined role, sunita would
inherit the rest of sr's privileges only with SET ROLE, but the
predefined role either way (IIUC, which I might not). If that's so,
then I guess I see the point, but I'm still sort of inclined to think
we're just trading one set of problems in for a different set. I just
have such a hard time imaging anyone using NOINHERIT in anger and
being happy with the result

--
Robert Haas
EDB: http://www.enterprisedb.com

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-02-07 Thread Joe Conway

On 2/7/22 10:35, Robert Haas wrote:

On Sun, Feb 6, 2022 at 12:24 PM Tom Lane  wrote:

Joe Conway  writes:
> I'd like to pick this patch up and see it through to commit/push.
> Presumably that will include back-patching to all supported pg versions.
> Before I go through the effort to back-patch, does anyone want to argue
> that this should *not* be back-patched?

Hm, I'm -0.5 or so.  I think changing security-related behaviors
in a stable branch is a hard sell unless you are closing a security
hole.  This is a fine improvement for HEAD but I'm inclined to
leave the back branches alone.

I think the threshold to back-patch a clear behavior change is pretty
high, so I do not think it should be back-patched.

ok

I am also not convinced that a sufficient argument has been made for
changing this in master. This isn't the only thread where NOINHERIT
has come up lately, and I have to admit that I'm not a fan. Let's
suppose that I have two users, let's say sunita and sri. In the real
world, Sunita is Sri's manager and needs to be able to perform actions
as Sri when Sri is out of the office, but it isn't desirable for
Sunita to have Sri's privileges in all situations all the time. So we
mark role sunita as NOINHERIT and grant sri to sunita. Then it turns
out that Sunita also needs to be COPY TO/FROM PROGRAM, so we give her
pg_execute_server_program. Now, if she can't exercise this privilege
without setting role to the prefined role, that's bad, isn't it? I
mean, we want her to be able to copy between *her* tables and various
shell commands, not the tables owned by pg_execute_server_program, of
which there are presumably none.

Easily worked around with one additional level of role:

8<---
nmx=# create user sunita;
CREATE ROLE
nmx=# create user sri superuser;
CREATE ROLE
nmx=# create user sri_alt noinherit;
CREATE ROLE
nmx=# grant sri to sri_alt;
GRANT ROLE
nmx=# grant sri_alt to sunita;
GRANT ROLE
nmx=# grant pg_execute_server_program to sunita;
GRANT ROLE
nmx=# set session authorization sri;
SET
nmx=# create table foo(id int);
CREATE TABLE
nmx=# insert into foo values(42);
INSERT 0 1
nmx=# set session authorization sunita;
SET
nmx=> select * from foo;
ERROR:  permission denied for table foo
nmx=> set role sri;
SET
nmx=# select * from foo;
 id

 42
(1 row)

nmx=# reset role;
RESET
nmx=> select current_user;
 current_user
--
 sunita
(1 row)

nmx=> create temp table sfoo(f1 text);
CREATE TABLE
nmx=> copy sfoo(f1) from program 'id';
COPY 1
nmx=> select f1 from sfoo;
   f1 

 uid=1001(postgres) gid=1001(postgres) 
groups=1001(postgres),108(ssl-cert),1002(pgconf)

(1 row)
8<---

It seems to me that the INHERIT role flag isn't very well-considered.
Inheritance, or the lack of it, ought to be decided separately for
each inherited role. However, that would be a major architectural
change.

Agreed -- that would be useful.

But in the absence of that, it seems clearly better for predefined
roles to disregard INHERIT and just always grant the rights they are
intended to give. Because if we don't do that, then we end up with
people having to SET ROLE to the predefined role and perform actions
directly as that role, which seems like it can't be what we want. I
almost feel like we ought to be looking for ways of preventing people
from doing SET ROLE to a predefined role altogether, not encouraging
them to do it.

I disagree with this though.

It is confusing and IMHO dangerous that the predefined roles currently 
work differently than regular roles eith respect to privilege inheritance.

In fact, I would extend that argument to the pseudo-role PUBLIC.

Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-02-07 Thread Robert Haas

On Sun, Feb 6, 2022 at 12:24 PM Tom Lane  wrote:
> Joe Conway  writes:
> > I'd like to pick this patch up and see it through to commit/push.
> > Presumably that will include back-patching to all supported pg versions.
> > Before I go through the effort to back-patch, does anyone want to argue
> > that this should *not* be back-patched?
>
> Hm, I'm -0.5 or so.  I think changing security-related behaviors
> in a stable branch is a hard sell unless you are closing a security
> hole.  This is a fine improvement for HEAD but I'm inclined to
> leave the back branches alone.

I think the threshold to back-patch a clear behavior change is pretty
high, so I do not think it should be back-patched.

I am also not convinced that a sufficient argument has been made for
changing this in master. This isn't the only thread where NOINHERIT
has come up lately, and I have to admit that I'm not a fan. Let's
suppose that I have two users, let's say sunita and sri. In the real
world, Sunita is Sri's manager and needs to be able to perform actions
as Sri when Sri is out of the office, but it isn't desirable for
Sunita to have Sri's privileges in all situations all the time. So we
mark role sunita as NOINHERIT and grant sri to sunita. Then it turns
out that Sunita also needs to be COPY TO/FROM PROGRAM, so we give her
pg_execute_server_program. Now, if she can't exercise this privilege
without setting role to the prefined role, that's bad, isn't it? I
mean, we want her to be able to copy between *her* tables and various
shell commands, not the tables owned by pg_execute_server_program, of
which there are presumably none.

It seems to me that the INHERIT role flag isn't very well-considered.
Inheritance, or the lack of it, ought to be decided separately for
each inherited role. However, that would be a major architectural
change. But in the absence of that, it seems clearly better for
predefined roles to disregard INHERIT and just always grant the rights
they are intended to give. Because if we don't do that, then we end up
with people having to SET ROLE to the predefined role and perform
actions directly as that role, which seems like it can't be what we
want. I almost feel like we ought to be looking for ways of preventing
people from doing SET ROLE to a predefined role altogether, not
encouraging them to do it.

-- 
Robert Haas
EDB: http://www.enterprisedb.com

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-02-06 Thread Tom Lane

Joe Conway  writes:
> I'd like to pick this patch up and see it through to commit/push. 
> Presumably that will include back-patching to all supported pg versions.
> Before I go through the effort to back-patch, does anyone want to argue 
> that this should *not* be back-patched?

Hm, I'm -0.5 or so.  I think changing security-related behaviors
in a stable branch is a hard sell unless you are closing a security
hole.  This is a fine improvement for HEAD but I'm inclined to
leave the back branches alone.

regards, tom lane

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-02-06 Thread Joe Conway

On 1/4/22 16:51, Joshua Brindle wrote:

On Tue, Jan 4, 2022 at 3:56 PM Tom Lane  wrote:

"Bossart, Nathan"  writes:
> On 11/12/21, 12:34 PM, "Joshua Brindle"  
wrote:
>> All of these and also adminpack.sgml updated. I think that is all of
>> them but docs broken across lines and irregular wording makes it
>> difficult.

> LGTM.  I've marked this as ready-for-committer.

This needs another rebase --- it's trying to adjust
file_fdw/output/file_fdw.source, which no longer exists
(fix the regular file_fdw.out, instead).

regards, tom lane

Attached, thanks

I'd like to pick this patch up and see it through to commit/push. 
Presumably that will include back-patching to all supported pg versions.

Before I go through the effort to back-patch, does anyone want to argue 
that this should *not* be back-patched?

Thanks,

Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-01-04 Thread Joshua Brindle

On Tue, Jan 4, 2022 at 3:56 PM Tom Lane  wrote:
>
> "Bossart, Nathan"  writes:
> > On 11/12/21, 12:34 PM, "Joshua Brindle"  
> > wrote:
> >> All of these and also adminpack.sgml updated. I think that is all of
> >> them but docs broken across lines and irregular wording makes it
> >> difficult.
>
> > LGTM.  I've marked this as ready-for-committer.
>
> This needs another rebase --- it's trying to adjust
> file_fdw/output/file_fdw.source, which no longer exists
> (fix the regular file_fdw.out, instead).
>
> regards, tom lane

Attached, thanks


v4-0001-use-has_privs_for_roles-for-predefined-role-checks.patch
Description: Binary data

Re: [PATCH v2] use has_privs_for_role for predefined roles

2022-01-04 Thread Tom Lane

"Bossart, Nathan"  writes:
> On 11/12/21, 12:34 PM, "Joshua Brindle"  
> wrote:
>> All of these and also adminpack.sgml updated. I think that is all of
>> them but docs broken across lines and irregular wording makes it
>> difficult.

> LGTM.  I've marked this as ready-for-committer.

This needs another rebase --- it's trying to adjust
file_fdw/output/file_fdw.source, which no longer exists
(fix the regular file_fdw.out, instead).

regards, tom lane

Re: [PATCH v2] use has_privs_for_role for predefined roles

2021-11-15 Thread Bossart, Nathan

On 11/12/21, 12:34 PM, "Joshua Brindle"  wrote:
> All of these and also adminpack.sgml updated. I think that is all of
> them but docs broken across lines and irregular wording makes it
> difficult.

LGTM.  I've marked this as ready-for-committer.

Nathan

Re: [PATCH v2] use has_privs_for_role for predefined roles

2021-11-12 Thread Joshua Brindle

On Wed, Nov 10, 2021 at 12:45 PM Bossart, Nathan  wrote:
>
> On 11/8/21, 2:19 PM, "Joshua Brindle"  wrote:
> > Thanks for the review, attached is an update with that comment fixed
> > and also sgml documentation changes that I missed earlier.
>
> I think there are a number of documentation changes that are still
> missing.  I did a quick scan and saw the "is member of" language in
> func.sgml, monitoring.sgml, pgbuffercache.sgml, pgfreespacemap.sgml,
> pgrowlocks.sgml, pgstatstatements.sgml, and pgvisibility.sgml.

All of these and also adminpack.sgml updated. I think that is all of
them but docs broken across lines and irregular wording makes it
difficult.

> 
>  By default, the pg_shmem_allocations view can be
> -   read only by superusers or members of the 
> pg_read_all_stats
> -   role.
> +   read only by superusers or roles with privilges of the
> +   pg_read_all_stats role.
> 
> 
>
> nitpick: "privileges" is misspelled.

Fixed, thanks for reviewing.


0001-use-has_privs_for_roles-for-predefined-role-checks.patch
Description: Binary data

Re: [PATCH v2] use has_privs_for_role for predefined roles

2021-11-10 Thread Bossart, Nathan

On 11/8/21, 2:19 PM, "Joshua Brindle"  wrote:
> Thanks for the review, attached is an update with that comment fixed
> and also sgml documentation changes that I missed earlier.

I think there are a number of documentation changes that are still
missing.  I did a quick scan and saw the "is member of" language in
func.sgml, monitoring.sgml, pgbuffercache.sgml, pgfreespacemap.sgml,
pgrowlocks.sgml, pgstatstatements.sgml, and pgvisibility.sgml.

 By default, the pg_shmem_allocations view can be
-   read only by superusers or members of the 
pg_read_all_stats
-   role.
+   read only by superusers or roles with privilges of the
+   pg_read_all_stats role.

nitpick: "privileges" is misspelled.

Nathan

Re: [PATCH v2] use has_privs_for_role for predefined roles

2021-11-08 Thread Joshua Brindle

On Mon, Nov 8, 2021 at 3:44 PM Stephen Frost  wrote:
>
> Greetings,
>
> * Joshua Brindle (joshua.brin...@crunchydata.com) wrote:
> > On Wed, Oct 27, 2021 at 5:20 PM Joshua Brindle 
> >  wrote:
> > > On Wed, Oct 27, 2021 at 5:16 PM Robert Haas  wrote:
> > > > On Wed, Oct 27, 2021 at 5:14 PM Joshua Brindle
> > > >  wrote:
> > > > > Attached is an updated version of the patch to replace
> > > > > is_member_of_role with has_privs_for_role for predefined roles. It
> > > > > does not remove is_member_of_role from acl.h but it does add a warning
> > > > > not to use that function for privilege checking.
> > > > >
> > > > > Please consider this for the upcoming commitfest.
> > > >
> > > > I am not sure I understand what the advantage of this is supposed to be.
> > >
> > > Pre-defined roles currently do not operate the same way other roles do
> > > with respect to inheritance. The patchfile has an explanation and
> > > examples, I wasn't sure if that needed to be repeated in the email or
> > > not.
> >
> > And FWIW several predefined role patches on the list currently
> > correctly use has_privs_for_role rather than is_memver_of_role so this
> > brings the older roles to be consistent with the newer ones being
> > proposed.
>
> Right, we really should be consistent here and we're not and that's not
> a good thing.  Further, if you're logged in as an unprivileged role and
> expect to not see things that you shouldn't, then it's not good for that
> to end up happening because you've been GRANT'd a more privileged, but
> noinherit, role that was given some predefined roles.  This doesn't end
> up being an actual security issue as you could just SET ROLE to that
> more privileged role, so it's not that you couldn't see that data, just
> that you should have had to SET ROLE to do so.
>
> Reviewing the actual patch, it generally looks good to me except that
> you missed updating this comment:
>
> Superusers or members of pg_read_all_stats members are allowed

Thanks for the review, attached is an update with that comment fixed
and also sgml documentation changes that I missed earlier.


0001-use-has_privs_for_roles-for-predefined-role-checks.patch
Description: Binary data

Re: [PATCH v2] use has_privs_for_role for predefined roles

2021-11-08 Thread Stephen Frost

Greetings,

* Joshua Brindle (joshua.brin...@crunchydata.com) wrote:
> On Wed, Oct 27, 2021 at 5:20 PM Joshua Brindle 
>  wrote:
> > On Wed, Oct 27, 2021 at 5:16 PM Robert Haas  wrote:
> > > On Wed, Oct 27, 2021 at 5:14 PM Joshua Brindle
> > >  wrote:
> > > > Attached is an updated version of the patch to replace
> > > > is_member_of_role with has_privs_for_role for predefined roles. It
> > > > does not remove is_member_of_role from acl.h but it does add a warning
> > > > not to use that function for privilege checking.
> > > >
> > > > Please consider this for the upcoming commitfest.
> > >
> > > I am not sure I understand what the advantage of this is supposed to be.
> >
> > Pre-defined roles currently do not operate the same way other roles do
> > with respect to inheritance. The patchfile has an explanation and
> > examples, I wasn't sure if that needed to be repeated in the email or
> > not.
> 
> And FWIW several predefined role patches on the list currently
> correctly use has_privs_for_role rather than is_memver_of_role so this
> brings the older roles to be consistent with the newer ones being
> proposed.

Right, we really should be consistent here and we're not and that's not
a good thing.  Further, if you're logged in as an unprivileged role and
expect to not see things that you shouldn't, then it's not good for that
to end up happening because you've been GRANT'd a more privileged, but
noinherit, role that was given some predefined roles.  This doesn't end
up being an actual security issue as you could just SET ROLE to that
more privileged role, so it's not that you couldn't see that data, just
that you should have had to SET ROLE to do so.

Reviewing the actual patch, it generally looks good to me except that
you missed updating this comment:

Superusers or members of pg_read_all_stats members are allowed

Thanks,

Stephen

signature.asc
Description: PGP signature

Re: [PATCH v2] use has_privs_for_role for predefined roles

2021-10-27 Thread Bossart, Nathan

On 10/27/21, 2:19 PM, "Robert Haas"  wrote:
> I am not sure I understand what the advantage of this is supposed to be.

There are a couple of other related threads with some additional
context:


https://www.postgresql.org/message-id/flat/20211026224731.115337-1-joshua.brindle%40crunchydata.com

https://www.postgresql.org/message-id/flat/CAGB%2BVh4enxvLBM_BJweWEO12Q0ySLMBWK9iOLaM7e%3DV1Y0YadA%40mail.gmail.com

Nathan

Re: [PATCH v2] use has_privs_for_role for predefined roles

2021-10-27 Thread Joshua Brindle

On Wed, Oct 27, 2021 at 5:20 PM Joshua Brindle
 wrote:
>
> On Wed, Oct 27, 2021 at 5:16 PM Robert Haas  wrote:
> >
> > On Wed, Oct 27, 2021 at 5:14 PM Joshua Brindle
> >  wrote:
> > > Attached is an updated version of the patch to replace
> > > is_member_of_role with has_privs_for_role for predefined roles. It
> > > does not remove is_member_of_role from acl.h but it does add a warning
> > > not to use that function for privilege checking.
> > >
> > > Please consider this for the upcoming commitfest.
> >
> > I am not sure I understand what the advantage of this is supposed to be.
>
> Pre-defined roles currently do not operate the same way other roles do
> with respect to inheritance. The patchfile has an explanation and
> examples, I wasn't sure if that needed to be repeated in the email or
> not.

And FWIW several predefined role patches on the list currently
correctly use has_privs_for_role rather than is_memver_of_role so this
brings the older roles to be consistent with the newer ones being
proposed.

Re: [PATCH v2] use has_privs_for_role for predefined roles

2021-10-27 Thread Joshua Brindle

On Wed, Oct 27, 2021 at 5:16 PM Robert Haas  wrote:
>
> On Wed, Oct 27, 2021 at 5:14 PM Joshua Brindle
>  wrote:
> > Attached is an updated version of the patch to replace
> > is_member_of_role with has_privs_for_role for predefined roles. It
> > does not remove is_member_of_role from acl.h but it does add a warning
> > not to use that function for privilege checking.
> >
> > Please consider this for the upcoming commitfest.
>
> I am not sure I understand what the advantage of this is supposed to be.

Pre-defined roles currently do not operate the same way other roles do
with respect to inheritance. The patchfile has an explanation and
examples, I wasn't sure if that needed to be repeated in the email or
not.

Re: [PATCH v2] use has_privs_for_role for predefined roles

2021-10-27 Thread Robert Haas

On Wed, Oct 27, 2021 at 5:14 PM Joshua Brindle
 wrote:
> Attached is an updated version of the patch to replace
> is_member_of_role with has_privs_for_role for predefined roles. It
> does not remove is_member_of_role from acl.h but it does add a warning
> not to use that function for privilege checking.
>
> Please consider this for the upcoming commitfest.

I am not sure I understand what the advantage of this is supposed to be.

-- 
Robert Haas
EDB: http://www.enterprisedb.com

41 matches

Mail list logo