AW: "setuid" functions, a solution to the RI privilege problem
(With 7.2 I plan to get rid of pg_shadow.usesysid and
identify users via
pg_shadow.oid and the superuser oid will be hard-coded into
include/catalog/pg_shadow.h, so at that point they will work.)
Imho it is fine to get rid of the usesysid in our internal authorization
system,
but we should not get rid of the only field that can tie a db user
to an os user. Imho we should not do a "by name" lookup
and eliminate the field. The extra field adds additional flexibility,
like using one os user for many db users, or using different names
for os users.
In the long run we will need a tie to os users for os level setuid user
functions.
Andreas
Zeugswetter Andreas SB writes:
Imho it is fine to get rid of the usesysid in our internal
authorization system, but we should not get rid of the only field that
can tie a db user to an os user. Imho we should not do a "by name"
lookup and eliminate the field.
Um, well, the only possible way to determine the session user when the
backend starts is to use the textual user name provided by the
authentication subsystem.
The extra field adds additional flexibility, like using one os user
for many db users, or using different names for os users.
In the long run we will need a tie to os users for os level setuid
user functions.
But the pg_shadow authentication is based on credentials provided by the
client whereas what you propose here would run on the server, so this
doesn't make sense. When we get around to these setuid user functions
(while I have no idea how we would do so) we certainly need to have a
separate control mechanism.
--
Peter Eisentraut peter_e@gmx.net http://yi.org/peter-e/