Re: [PATCH] Largeobject access controls

KaiGai Kohei wrote:
> Alvaro Herrera wrote:
>> Tom Lane wrote:
>>> KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp> writes:
>>>> BTW, currently, the default ACL of largeobject allows anything for owner
>>>> and nothing for world. Do you have any comment for the default behavior?
>>> Mph. I think the backlash will be too great. You have to leave the
>>> default behavior the same as it is now, ie, world access.
>> BTW as a default it is pretty bad. Should we have a GUC var to set the
>> default LO permissions?
>
> It seems to me a reasonable idea in direction.
> However, it might be better to add a GUC variable to turn on/off LO
> permission feature, not only default permissions.
> It allows us to control whether the privilege mechanism should perform
> in backward compatible, or not.

Now we have two options:

1. A GUC variable to set the default largeobject permissions.

SET largeobject_default_acl = [ ro | rw | none ]
- ro : read-only
- rw : read-writable
- none : nothing

It can control the default acl which is applied when NULL is set on
the pg_largeobject_meta.lomacl. However, lo_unlink() checks ownership
on the largeobject, so it is not enough compatible with v8.4.x or prior.

2. A GUC veriable to turn on/off largeobject permissions.

SET largeobject_compat_dac = [ on | off ]

When the variable is turned on, largeobject dac permission check is
not applied as the v8.4.x or prior version did. So, the variable is
named "compat" which means compatible behavior.
It also does not check ownership on lo_unlink().

My preference is the second approach.

What's your opinion?

Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>