On Tue, Apr 20, 2021 at 1:31 AM Mark Dilger <mark.dil...@enterprisedb.com> wrote: > I think you are conflating the concept of an operating system adminstrator > with the concept of the database superuser/owner.
You should conflate those things, because there's no meaningful privilege boundary between them: http://rhaas.blogspot.com/2020/12/cve-2019-9193.html If reading the whole thing is too much, scroll down to the part in fixed-width font and behold me trivially compromising the OS account using plperlu. I actually think this is a design error on our part. A lot of people, apparently including you, feel that there should be a privilege boundary between the PostgreSQL superuser and the OS user, or want such a boundary to exist. It would be quite useful if there were a boundary there, because it's entirely reasonable to want to have a user who is allowed to do everything with the database except escape into the OS account, and I can't think of any reason why we couldn't set things up so that this is possible. We'd have to bar some things that the superuser can currently do, like directly modify system tables and use COPY TO/FROM PROGRAM, but there's a lot of things we could allow too, like reading all the data and creating and deleting accounts and setting their permissions arbitrarily, except maybe for any special super-DUPER users who are allowed to do things that escape the sandbox. Now it would take a fair amount of work to make that distinction in a rigorous way and figure out exactly what the design ought to be, and I'm not volunteering. But I bet a lot of people would like it. -- Robert Haas EDB: http://www.enterprisedb.com
