Re: [HACKERS] Question: CREATE EXTENSION and create schema permission?
Kohei KaiGai kai...@kaigai.gr.jp writes: The attached patch adds permission check at the scenario that I explained bellow. Instead of using this patch, I changed the code to call CreateSchemaCommand itself. The test that was still missing was the one to restrict the schema name to not start with pg_. It seemed to me that if we were treating this as a basically nonprivileged schema creation operation, that rule ought to be enforced too, as well as any other restrictions that we might someday add to CREATE SCHEMA execution. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] Question: CREATE EXTENSION and create schema permission?
The attached patch adds permission check at the scenario that I explained bellow. Unlike CreateSchemaCommand(), we don't have check_is_member_of_role() here because the extowner is obviously same with the current user in this code path. I hope this patch being also back ported to v9.1 tree, not only v9.2 development. Thanks, 2011/8/21 Dimitri Fontaine dimi...@2ndquadrant.fr: Kohei KaiGai kai...@kaigai.gr.jp writes: The current implementation set the current user as owner of the new schema. The default permission check of schema allows owner to create several kinds of underlying objects. In the result, we may consider a scenario that a user without permissions to create new objects possibly get a schema created by CREATE EXTENSION that allows him to create new objects (such as table, function, ...). I don't think it is a desirable behavior. :-( Agreed, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support -- KaiGai Kohei kai...@kaigai.gr.jp pgsql-create-extension-permission-checks.patch Description: Binary data -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] Question: CREATE EXTENSION and create schema permission?
Kohei KaiGai kai...@kaigai.gr.jp writes: However, it allows users to create a new schema with his ownership, even if current user does not have permission to create a new schema. [...] It seems to me that we should inject permission checks here like as CreateSchemaCommand() doing. It seems to me the code has been written this way before we relaxed the superuser only check in CREATE EXTENSION. I'm not enough into security to convince myself there's harm to protect against here, but I would agree there's a sound logic into refusing to create the schema if the current role isn't granted that operation. Please note, though, that you're effectively forbidding the role to create the extension. As it's not relocatable, the role will not be able to install it into another schema. Which could be exactly what you wanted to achieve. Regards, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] Question: CREATE EXTENSION and create schema permission?
2011/8/21 Dimitri Fontaine dimi...@2ndquadrant.fr: Kohei KaiGai kai...@kaigai.gr.jp writes: However, it allows users to create a new schema with his ownership, even if current user does not have permission to create a new schema. [...] It seems to me that we should inject permission checks here like as CreateSchemaCommand() doing. It seems to me the code has been written this way before we relaxed the superuser only check in CREATE EXTENSION. I'm not enough into security to convince myself there's harm to protect against here, but I would agree there's a sound logic into refusing to create the schema if the current role isn't granted that operation. Please note, though, that you're effectively forbidding the role to create the extension. As it's not relocatable, the role will not be able to install it into another schema. Which could be exactly what you wanted to achieve. The current implementation set the current user as owner of the new schema. The default permission check of schema allows owner to create several kinds of underlying objects. In the result, we may consider a scenario that a user without permissions to create new objects possibly get a schema created by CREATE EXTENSION that allows him to create new objects (such as table, function, ...). I don't think it is a desirable behavior. :-( Thanks, -- KaiGai Kohei kai...@kaigai.gr.jp -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] Question: CREATE EXTENSION and create schema permission?
Kohei KaiGai kai...@kaigai.gr.jp writes: The current implementation set the current user as owner of the new schema. The default permission check of schema allows owner to create several kinds of underlying objects. In the result, we may consider a scenario that a user without permissions to create new objects possibly get a schema created by CREATE EXTENSION that allows him to create new objects (such as table, function, ...). I don't think it is a desirable behavior. :-( Agreed, -- Dimitri Fontaine http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers