PG13 Trusted Extension usability issue
First, as a long time user of the pgextwlist extension, I'm happy to see
this functionality appearing in core. However, as a long term user of that
extension, I can say that ability to create an extension as a non-super
user is pretty limited in itself in a lot of cases. Many extensions both
in contrib and external ones (like PostGIS for example) don't give
appropriate permissions to actually use the extension.
Taking postgresql_fdw as an example.
I modify the control file to allow it to be trusted (I'd suggest how to do
this be documented as well)
cat /usr/pgsql-13/share/extension/postgres_fdw.control
# postgres_fdw extension
comment = 'foreign-data wrapper for remote PostgreSQL servers'
default_version = '1.0'
module_pathname = '$libdir/postgres_fdw'
relocatable = true
trusted = true
My current, non-super user:
\du admin
List of roles
Role name | Attributes | Member of
-----------+------------------------+-----------
admin | Create role, Create DB | {}
Create the extension:
test2=> create extension postgres_fdw ;
CREATE EXTENSION
Actually try and use it:
test2=> CREATE SERVER foreign_server
FOREIGN DATA WRAPPER postgres_fdw
OPTIONS (host '192.83.123.89', port '5432', dbname 'foreign_db');
ERROR: permission denied for foreign-data wrapper postgres_fdw
To make it work, you need a superuser to run GRANT usage ... on the foreign
data wrapper to the user that creates it. And while a superuser can apply
the needed grants, it's an awkard feature to allow a non-superuser to
create an extension, then require a superuser to grant things to allow it
to actually be used.
There are lots of other cases of such behavior. pg_stats_statements_reset
() for example. Big external extensions like PostGIS also suffer from
permissions issues.
Brad.
"Brad Nicholson" <bradn@ca.ibm.com> writes:
First, as a long time user of the pgextwlist extension, I'm happy to see
this functionality appearing in core. However, as a long term user of that
extension, I can say that ability to create an extension as a non-super
user is pretty limited in itself in a lot of cases. Many extensions both
in contrib and external ones (like PostGIS for example) don't give
appropriate permissions to actually use the extension.
Taking postgresql_fdw as an example.
I'm confused about your point here. postgresql_fdw has intentionally
*not* been marked trusted. That's partly because it doesn't seem like
outside-the-database access is something we want to allow by default,
but it's also the case that there are inside-the-database permissions
issues. So no, we have not solved those, but that is not a shortcoming
of the trusted-extensions feature AFAICS. It is not the intent of
that feature that you can randomly mark unsafe extensions as trusted
and have every one of their permissions safety-checks vanish.
regards, tom lane
Tom Lane <tgl@sss.pgh.pa.us> wrote on 2020/06/26 02:47:25 PM:
From: Tom Lane <tgl@sss.pgh.pa.us>
To: "Brad Nicholson" <bradn@ca.ibm.com>
Cc: pgsql-general@lists.postgresql.org
Date: 2020/06/26 02:51 PM
Subject: [EXTERNAL] Re: PG13 Trusted Extension usability issue"Brad Nicholson" <bradn@ca.ibm.com> writes:
First, as a long time user of the pgextwlist extension, I'm happy to
see
this functionality appearing in core. However, as a long term user of
that
extension, I can say that ability to create an extension as a non-super
user is pretty limited in itself in a lot of cases. Many extensions
both
in contrib and external ones (like PostGIS for example) don't give
appropriate permissions to actually use the extension.Taking postgresql_fdw as an example.
I'm confused about your point here. postgresql_fdw has intentionally
*not* been marked trusted. That's partly because it doesn't seem like
outside-the-database access is something we want to allow by default,
but it's also the case that there are inside-the-database permissions
issues.
Ah - I misread the docs. Specifically I read this:
"For many extensions this means superuser privileges are needed. However,
if the extension is marked trusted in its control file, then it can be
installed by any user who has CREATE privilege on the current database"
To mean that you could mark any extension as trusted in the control file to
allow non-superuser installation.
Thanks,
Brad
On 6/26/20 12:03 PM, Brad Nicholson wrote:
Tom Lane <tgl@sss.pgh.pa.us> wrote on 2020/06/26 02:47:25 PM:
From: Tom Lane <tgl@sss.pgh.pa.us>
To: "Brad Nicholson" <bradn@ca.ibm.com>
Cc: pgsql-general@lists.postgresql.org
Date: 2020/06/26 02:51 PM
Subject: [EXTERNAL] Re: PG13 Trusted Extension usability issue"Brad Nicholson" <bradn@ca.ibm.com> writes:
First, as a long time user of the pgextwlist extension, I'm happy
to see
this functionality appearing in core. �However, as a long term user
of that
extension, I can say that ability to create an extension as a non-super
user is pretty limited in itself in a lot of cases. �Manyextensions both
in contrib and external ones (like PostGIS for example) don't give
appropriate permissions to actually use the extension.Taking postgresql_fdw as an example.
I'm confused about your point here. �postgresql_fdw has intentionally
*not* been marked trusted. �That's partly because it doesn't seem like
outside-the-database access is something we want to allow by default,
but it's also the case that there are inside-the-database permissions
issues.Ah - I misread the docs. �Specifically I read this:
"For many extensions this means superuser privileges are needed.
However, if the extension is marked trusted in its control file, then it
can be installed by any user who has CREATE privilege on the current
database"
The rest of that paragraph:
"In this case the extension object itself will be owned by the calling
user, but the contained objects will be owned by the bootstrap superuser
(unless the extension's script explicitly assigns them to the calling
user). This configuration gives the calling user the right to drop the
extension, but not to modify individual objects within it."
To mean that you could mark any extension as trusted in the control file
to allow non-superuser installation.Thanks,
Brad
--
Adrian Klaver
adrian.klaver@aklaver.com
"Brad Nicholson" <bradn@ca.ibm.com> writes:
Tom Lane <tgl@sss.pgh.pa.us> wrote on 2020/06/26 02:47:25 PM:
I'm confused about your point here. postgresql_fdw has intentionally
*not* been marked trusted. That's partly because it doesn't seem like
outside-the-database access is something we want to allow by default,
but it's also the case that there are inside-the-database permissions
issues.
Ah - I misread the docs. Specifically I read this:
"For many extensions this means superuser privileges are needed. However,
if the extension is marked trusted in its control file, then it can be
installed by any user who has CREATE privilege on the current database"
To mean that you could mark any extension as trusted in the control file to
allow non-superuser installation.
Well, it's just like anything else in an open-source database: you can
change the code however you want, but the fallout from that is on you.
In the case at hand, you might be able to do what you want by adding
something along the line of
GRANT USAGE ON FOREIGN DATA WRAPPER postgres_fdw
TO @extowner@ WITH GRANT OPTION;
to the extension install script. But nobody's researched whether that's
reasonable from a security standpoint, or whether it will play nicely
with dump/reload, etc etc.
regards, tom lane
Greetings,
* Tom Lane (tgl@sss.pgh.pa.us) wrote:
"Brad Nicholson" <bradn@ca.ibm.com> writes:
Tom Lane <tgl@sss.pgh.pa.us> wrote on 2020/06/26 02:47:25 PM:
I'm confused about your point here. postgresql_fdw has intentionally
*not* been marked trusted. That's partly because it doesn't seem like
outside-the-database access is something we want to allow by default,
but it's also the case that there are inside-the-database permissions
issues.Ah - I misread the docs. Specifically I read this:
"For many extensions this means superuser privileges are needed. However,
if the extension is marked trusted in its control file, then it can be
installed by any user who has CREATE privilege on the current database"
To mean that you could mark any extension as trusted in the control file to
allow non-superuser installation.Well, it's just like anything else in an open-source database: you can
change the code however you want, but the fallout from that is on you.In the case at hand, you might be able to do what you want by adding
something along the line ofGRANT USAGE ON FOREIGN DATA WRAPPER postgres_fdw
TO @extowner@ WITH GRANT OPTION;to the extension install script. But nobody's researched whether that's
reasonable from a security standpoint, or whether it will play nicely
with dump/reload, etc etc.
Indeed that could be done, and almost certainly will be by cloud
vendors, resulting in more forks of PG done in different ways.
I do agree that, in general, we need a way to allow a superuser to GRANT
the right to connect to other systems (so that it could be done
initially when creating the not-really-superuser-privileged-user, before
the extension is created), since we don't want that to be allowed from
the start, then have that checked by extensions, but once that's done it
seems like it'd be alright to include the above GRANT USAGE in upstream
(regarding this specific concern, at least).
Seems like a default role would probably be the way to add that.
Thanks,
Stephen