Greetings,
* Stephen Frost (sfr...@snowman.net) wrote:
> Great, thanks. I'll be doing more review of it myself and see about
> pushing it later this afternoon.
Took a bit longer as I wanted to check over a few more things, but I've
now pushed this. Thanks much for all of the help with review an
Michael,
* Michael Paquier (mich...@paquier.xyz) wrote:
> On Mon, Apr 02, 2018 at 05:09:21PM -0400, Stephen Frost wrote:
> > * Michael Paquier (mich...@paquier.xyz) wrote:
> >> No refactoring for pg_file_unlink and its v1.1?
> >
> > I considered each function and thought about if it'd make sense
On Mon, Apr 02, 2018 at 05:09:21PM -0400, Stephen Frost wrote:
> * Michael Paquier (mich...@paquier.xyz) wrote:
>> No refactoring for pg_file_unlink and its v1.1?
>
> I considered each function and thought about if it'd make sense to
> refactor them or if they were simple enough that the additiona
Michael, all,
* Michael Paquier (mich...@paquier.xyz) wrote:
> On Sun, Apr 01, 2018 at 09:39:02AM -0400, Stephen Frost wrote:
> > Thanks for checking. Attached is an updated version which also includes
> > the changes for adminpack, done in a similar manner to how pgstattuple
> > was updated, as
On Sun, Apr 01, 2018 at 09:39:02AM -0400, Stephen Frost wrote:
> Thanks for checking. Attached is an updated version which also includes
> the changes for adminpack, done in a similar manner to how pgstattuple
> was updated, as discussed. Regression tests updated and extended a bit,
> doc updates
Greetings,
* Michael Paquier (mich...@paquier.xyz) wrote:
> On Sun, Mar 25, 2018 at 09:43:25PM -0400, Stephen Frost wrote:
> > * Michael Paquier (mich...@paquier.xyz) wrote:
> >> On Thu, Mar 08, 2018 at 10:15:11AM +0900, Michael Paquier wrote:
> >> > Other than that the patch looks in pretty good
On Sun, Mar 25, 2018 at 09:43:25PM -0400, Stephen Frost wrote:
> * Michael Paquier (mich...@paquier.xyz) wrote:
>> On Thu, Mar 08, 2018 at 10:15:11AM +0900, Michael Paquier wrote:
>> > Other than that the patch looks in pretty good shape to me.
>>
>> The regression tests of file_fdw are blowing up
Greetings,
* Michael Paquier (mich...@paquier.xyz) wrote:
> On Thu, Mar 08, 2018 at 10:15:11AM +0900, Michael Paquier wrote:
> > Other than that the patch looks in pretty good shape to me.
>
> The regression tests of file_fdw are blowing up because of an error
> string patch 2 changes.
Fixed in
On Thu, Mar 08, 2018 at 10:15:11AM +0900, Michael Paquier wrote:
> Other than that the patch looks in pretty good shape to me.
The regression tests of file_fdw are blowing up because of an error
string patch 2 changes.
--
Michael
signature.asc
Description: PGP signature
On Wed, Mar 07, 2018 at 07:00:03AM -0500, Stephen Frost wrote:
> * Michael Paquier (mich...@paquier.xyz) wrote:
>> First, could it be possible to do a split for 1) and 2)?
>
> Done, because it was less work than arguing about it, but I'm not
> convinced that we really need to split out patches to
Greetings Michael,
* Michael Paquier (mich...@paquier.xyz) wrote:
> On Tue, Mar 06, 2018 at 10:00:54AM -0500, Stephen Frost wrote:
> > Attached is an updated patch which splits up the permissions as
> > suggested up-thread by Magnus:
> >
> > The default roles added are:
> >
> > * pg_read_server_
On Tue, Mar 06, 2018 at 10:00:54AM -0500, Stephen Frost wrote:
> * Magnus Hagander (mag...@hagander.net) wrote:
>> On Tue, Jan 2, 2018 at 1:08 PM, Stephen Frost wrote:
>> > Suggestions on a name for this..? pg_server_copy_program?
>>
>> Presumably it would also be used in postgres_fdw, so that s
Magnus, all,
* Magnus Hagander (mag...@hagander.net) wrote:
> On Tue, Jan 2, 2018 at 1:08 PM, Stephen Frost wrote:
> > Suggestions on a name for this..? pg_server_copy_program?
>
> Presumably it would also be used in postgres_fdw, so that seems like a bad
> name. Maybe pg_exec_server_command?
Hi,
On 2018-01-19 09:28:33 -0500, Stephen Frost wrote:
> This patch still needs updating for Magnus' comments, of course, and
> I'm still planning to make that happen, so Waiting on Author is the
> right status currently.
Given that this hasn't happened, and that the next CF has started, ISTM,
th
Ok great. Thanks Michael and Stephen for the explanations.
Michael, all,
* Michael Paquier (michael.paqu...@gmail.com) wrote:
> On Thu, Jan 18, 2018 at 02:04:45PM +, Ryan Murphy wrote:
> > I had not tried this before with my unpatched build of postgres. (In
> > retrospect of course I should have). I expected my superuser to be
> > able to perform th
On Thu, Jan 18, 2018 at 02:04:45PM +, Ryan Murphy wrote:
> I had not tried this before with my unpatched build of postgres. (In
> retrospect of course I should have). I expected my superuser to be
> able to perform this task, but it seems that for security reasons we
> presently don't allow a
Just circling back on this.
I did have a question that came up about the behavior of the server as it is
without the patch. I logged into psql with my superuser "postgres":
postgres=# select pg_read_file('/Users/postgres/temp');
ERROR: absolute path not allowed
I had not tried this be
Thomas,
* Thomas Munro (thomas.mu...@enterprisedb.com) wrote:
> On Mon, Jan 1, 2018 at 8:19 AM, Stephen Frost wrote:
> > This patch adds a new default role called 'pg_access_server_files' which
> > allows an administrator to GRANT to a non-superuser role the ability to
> > access server-side file
On Mon, Jan 1, 2018 at 8:19 AM, Stephen Frost wrote:
> Greetings,
>
> This patch adds a new default role called 'pg_access_server_files' which
> allows an administrator to GRANT to a non-superuser role the ability to
> access server-side files through PostgreSQL (as the user the database is
> runn
The following review has been posted through the commitfest application:
make installcheck-world: tested, passed
Implements feature: tested, passed
Spec compliant: not tested
Documentation:tested, passed
I ran make installcheck-world and all tests passed except one tha
(Duplicated to make sure it's in the commitfest Thread, didn't seem to get in
there when I replied to the email)
Oops! I made a mistake, which clearly showed up in my last email: I forgot to
psql back in as "tester".
Now I get the right behavior:
$ psql postgres tester
postgres=> sele
Oops! I made a mistake, which clearly showed up in my last email: I forgot
to psql back in as "tester".
Now I get the right behavior:
$ psql postgres tester
psql (9.4.5, server 11devel)
Type "help" for help.
postgres=> select pg_read_file('/Users/postgres/temp');
ERROR: absolute path not allow
Hi Stephen,
I have another question then based on what you said earlier today, and some
testing I did using your patch.
TLDR: I created a role "tester" and was (as expected) not able to perform
pg_read_file() on files outside the data directory.
But then I granted EXECUTE on that function for t
Greetings Ryan!
* Ryan Murphy (ryanfmur...@gmail.com) wrote:
> Stephen, so far I've read thru your patch and familiarized myself with some
> of the auth functionality in pg_authid.h and src/backend/utils/adt/acl.c
>
> The only question I have so far about your patch is the last several hunks of
Stephen, so far I've read thru your patch and familiarized myself with some of
the auth functionality in pg_authid.h and src/backend/utils/adt/acl.c
The only question I have so far about your patch is the last several hunks of
the diff, which remove superuser checks without adding anything immed
Magnus,
* Magnus Hagander (mag...@hagander.net) wrote:
> On Tue, Jan 2, 2018 at 1:08 PM, Stephen Frost wrote:
> > * Magnus Hagander (mag...@hagander.net) wrote:
> > > On Sun, Dec 31, 2017 at 8:19 PM, Stephen Frost
> > wrote:
> > > > This patch adds a new default role called 'pg_access_server_fil
On Tue, Jan 2, 2018 at 1:08 PM, Stephen Frost wrote:
> Magnus,
>
> * Magnus Hagander (mag...@hagander.net) wrote:
> > On Sun, Dec 31, 2017 at 8:19 PM, Stephen Frost
> wrote:
> > > This patch adds a new default role called 'pg_access_server_files'
> which
> > > allows an administrator to GRANT to
Magnus,
* Magnus Hagander (mag...@hagander.net) wrote:
> On Sun, Dec 31, 2017 at 8:19 PM, Stephen Frost wrote:
> > This patch adds a new default role called 'pg_access_server_files' which
> > allows an administrator to GRANT to a non-superuser role the ability to
> > access server-side files thro
On Sun, Dec 31, 2017 at 8:19 PM, Stephen Frost wrote:
> Greetings,
>
> This patch adds a new default role called 'pg_access_server_files' which
> allows an administrator to GRANT to a non-superuser role the ability to
> access server-side files through PostgreSQL (as the user the database is
> ru
this
at least allows some movement away from having to have roles with
superuser access.
Thanks!
Stephen
From eb8be8ffbadcc37418dc12d59c6767e073028e35 Mon Sep 17 00:00:00 2001
From: Stephen Frost
Date: Sun, 31 Dec 2017 14:01:12 -0500
Subject: [PATCH] Add default role pg_access_server_fil
31 matches
Mail list logo
