| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com> |
| Cc: | Alvaro Herrera <alvherre(at)commandprompt(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: [PATCH] Largeobject access controls |
| Date: | 2009-09-04 01:29:56 |
| Message-ID: | 603c8f070909031829q604746c6tf20b6aaf19fc6935@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
2009/9/3 KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>:
> KaiGai Kohei wrote:
>> Alvaro Herrera wrote:
>>> Tom Lane wrote:
>>>> KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp> writes:
>>>>> BTW, currently, the default ACL of largeobject allows anything for owner
>>>>> and nothing for world. Do you have any comment for the default behavior?
>>>> Mph. I think the backlash will be too great. You have to leave the
>>>> default behavior the same as it is now, ie, world access.
>>> BTW as a default it is pretty bad. Should we have a GUC var to set the
>>> default LO permissions?
>>
>> It seems to me a reasonable idea in direction.
>> However, it might be better to add a GUC variable to turn on/off LO
>> permission feature, not only default permissions.
>> It allows us to control whether the privilege mechanism should perform
>> in backward compatible, or not.
>
> Now we have two options:
>
> 1. A GUC variable to set the default largeobject permissions.
>
> SET largeobject_default_acl = [ ro | rw | none ]
> - ro : read-only
> - rw : read-writable
> - none : nothing
>
> It can control the default acl which is applied when NULL is set on
> the pg_largeobject_meta.lomacl. However, lo_unlink() checks ownership
> on the largeobject, so it is not enough compatible with v8.4.x or prior.
>
> 2. A GUC veriable to turn on/off largeobject permissions.
>
> SET largeobject_compat_dac = [ on | off ]
>
> When the variable is turned on, largeobject dac permission check is
> not applied as the v8.4.x or prior version did. So, the variable is
> named "compat" which means compatible behavior.
> It also does not check ownership on lo_unlink().
>
> My preference is the second approach.
>
> What's your opinion?
I prefer the first. There's little harm in letting users set the
default permissions for themselves, but a GUC that controls
system-wide behavior will have to be something only superusers can
money with, and that seems like it will reduce usability.
Why couldn't lo_unlink() just check write privilege?
...Robert
| From | Date | Subject | |
|---|---|---|---|
| Next Message | KaiGai Kohei | 2009-09-04 01:43:46 | Re: [PATCH] Largeobject access controls |
| Previous Message | KaiGai Kohei | 2009-09-04 01:16:29 | Re: [PATCH] Largeobject access controls |