SEPostgreSQL/Permissions

From PostgreSQL wiki
Jump to navigationJump to search

Database (pg_database)

Creation

  • DAC
    • check createdb privilege of the owner
    • check ownership of the source database (if not template)
    • check CREATE permission on the tablespace (if specified)
  • SELinux
    • check db_database:{create} on the default security label; based on the source database
    • (permissions on the tablespace in the future version)
  • Contextual information
    • name of the new database
    • oid of the source database
    • (oid of the tablespace)

Alter

  • DAC
    • check ownership of the database
    • check createdb privilege of the user (if RENAME TO, OWNER TO)
    • check membership of the new owner (if OWNER TO)
    • check CREATE permission on the tablespace (if SET TABLESPACE)
  • SELinux
    • check db_database:{setattr}
    • (permissions on the tablespace in the future version)
  • Contextual information
    • event type and oid
    • (oid of the tablespace, if SET TABLESPACE)

Drop

  • DAC
    • check ownership of the database
  • SELinux
    • check db_database:{drop}
  • Contextual information
    • only event type and oid

Connection

  • DAC
    • check CONNECT permission on the database at CheckMyDatabase()
  • SELinux
    • check db_database:{access}
  • Contextual information
    • only event type and oid

Schema (pg_namespace)

Creation

  • DAC
    • check CREATE or CREATE_TEMP permission on the database
    • check membership of the owner (if persistent schema)
  • SELinux
    • check db_schema:{create} on the default security label; based on the database
  • Contextual information
    • name of the new schema

Alter

  • DAC
    • check ownership of the schema
    • check CREATE permission on the database (if RENAME TO, OWNER TO)
    • check membership of the new owner (if OWNER TO)
  • SELinux
    • check db_schema:{setattr}
  • Contextual information
    • only event type and oid

Drop

  • DAC
    • check ownership of the schema
  • SELinux
    • check db_schema:{drop}
  • Contextual information
    • oid of the schema
    • a flag to inform whether CASCADE or RESTRICT

Search

  • DAC
    • check USAGE permission
  • SELinux
    • check db_schema:{search}
  • Contextual information
    • only event type and oid

Relation (pg_class)

Creation

  • DAC
    • check CREATE permission of the namespace of the new relation
    • check CREATE permission of the tablespace of the new relation, if particular TABLESPACE is given
    • check ownership of the table being inherited, if INHERITS is given
  • SELinux
    • check db_xxx:{create} on the default security label of relation; based on the namespace.
      • db_xxx is db_table, db_sequence or db_view depending on relkind
    • check db_column:{create} on the default security label of column; based on the relation
    • check db_schema:{add_name} permission
    • (permissions on the tablespace in the future version)
    • check db_table:{getattr} permission on the tables being inherited, if INHERITS is given
  • Contextual information
    • name of the new relation
    • oid of the namespace
    • (oid of the tablespace)
    • relkind
    • TupleDesc (it delivers information about columns)
  • Memo
    • In my idea, permission checks on inherited tables should be separated from the main part of creation check, because MergeAttributes() acquires ShareUpdateExclusiveLock on parent tables. If we don't raise an error immediately, unprivileged user can prevent accesses on the parent tables without permissions.

Alter

  • DAC
    • check ownership of the relation
    • check CREATE permission of the namespace, if ALTER RENAME TO/SET SCHEMA/OWNER TO
    • check role membership of the new owner, if ALTER OWNER TO
    • check REFERENCES permission of PK/FK constrained tables/columns, if FK constrains are added
    • check CREATE permission of the tablespace, if ALTER SET TABLESPACE
    • check ownership of the parent relation, if ALTER INHERIT
  • SELinux
    • check db_xxx:{setattr}
    • check db_column:{create} or db_column:{drop}, if ADD/DROP COLUMN
    • check db_column:{setattr}, if column is altered
    • check db_schema:{add_name remove_name}, if ALTER RENAME TO/SET SCHEMA
    • (permissions on the tablespace in the future version)
    • check db_table:{getattr} of the parent table, if ALTER INHERIT
  • Contextual information
    • oid and subid of the table/column being altered
    • oid of the new namespace, if ALTER SET SCHEMA
    • (oid of the new tablespace, if ALTER SET TABLESPACE)
    • new name, if ALTER RENAME TO
    • ColumnDef, if ALTER ADD COLUMN

Drop

  • DAC
    • check ownership of either namespace or relation
  • SELinux
    • check db_xxx:{drop}
    • check db_schema:{remove_name}
  • Contextual information
    • oid of the relation
    • a flag to inform whether CASCADE or RESTRICT

Sequence Ops

  • DAC
    • check SELECT or USAGE permission on currval()/lastval()
    • check USAGE or UPDATE permission on nextval()
    • check UPDATE permission on setval()
  • SELinux
    • check db_sequence:{get_value} on currval()/lastval()
    • check db_sequence:{next_value} on nextval()
    • check db_sequence:{set_value} on setval()
  • Contextual information
    • only event type and oid

Function (pg_proc)

Creation

  • DAC
    • check CREATE permission of the namespace
    • check USAGE permission of the language or superuser privilege depending on whether the language is trusted
    • (check superuser privilege if LEAKPROOF is given)
    • check ownership of the function, if replaced
  • SELinux
    • check db_procedure:{create} on the default security label; based on the namespace
    • check db_schema:{add_name} of the namespace
    • check db_language:{implement} of the language
    • (check db_procedure:{install} if LEAKPROOF is given)
    • check db_procedure:{drop} and db_schema:{remove_name}, if replaced
  • Contextual information
    • name of the new function
    • oid of argument types
    • oid of the namespace
    • oid of the language
    • (a flag to inform whether LEAKPROOF)

Alter

  • DAC
    • check ownership of the procedure
    • check CREATE permission of the namespace, if RENAME TO/SET SCHEMA/OWNER TO
    • check role membership of the new owner, if ALTER OWNER TO
  • SELinux
    • check db_procedure:{setattr}
    • check db_schema:{add_name remove_name}, if RENAME TO/SET SCHEMA
  • Contextual information
    • oid of the function
    • oid of the namespace, if SET SCHEMA
    • new function name, if RENAME TO

Drop

  • DAC
    • check ownership of either function or namespace
  • SELinux
    • check db_procedure:{drop}
    • check db_schema:{remove_name}
  • Contextual information
    • oid of the function
    • a flag to inform whether CASCADE or RESTRICT

Execute

  • DAC
    • check EXECUTE permission
  • SELinux
    • check db_procedure:{execute}
    • check db_procedure:{entrypoint} and process:{transition}, if trusted procedure
  • Contextual information
    • only event type and oid

Language (pg_language)

Create

  • DAC
    • check either superuser privilege or ownership of the database if tmpldbacreate = true.
  • SELinux
    • check db_language:{create} on the default security context; based on the database
    • check db_procedure:{install} of the handler, inline and validator functions
  • Contextual information
    • name of the new language
    • oid of the handler, inline and validator functions

Alter

  • DAC
    • check ownership of the language
    • check membership on the new owner of the language, if ALTER OWNER TO
  • SELinux
    • check db_language:{setattr}
  • Contextual information
    • only event type and oid

Drop

  • DAC
    • check ownership of the language
  • SELinux
    • check db_language:{drop} of the language
  • Contextual information
    • oid of the language
    • a flag to inform whether CASCADE or RESTRICT

Aggregate (pg_aggregate)

Create

  • DAC
    • check CREATE permission of the namespace
    • cgeck EXECUTE permission of the trans and final function
  • SELinux
    • check db_procedure:{create} on the default security label; based on the namespace
    • check db_procedure:{install} on the trans and final function
      • it might not be necessary because db_procedure:{execute} shall be checked on run-time
  • Contextual iniformation
    • name of the new function
    • oid of the namespace
    • oid of the trans and final functions

Alter

  • DAC
    • check ownership of the aggregate
    • check CREATE permission of the namespace, if RENAME TO/SET SCHEMA
    • check membership of the new owner, if OWNER TO
  • SELinux
    • check db_procedure:{setattr}
    • check db_schema:{add_name remove_name}, if RENAME TO/SET SCHEMA
  • Contextual iniformation
    • oid of the aggregate
    • oid of the namespace, if SET SCHEMA

Drop

  • DAC
    • check ownership of either aggregate or namespace
  • SELinux
    • check db_procedure:{drop}
    • check db_schema:{remove_name}
  • Contextual iniformation
    • oid of the aggregate
    • a flag to inform whether CASCADE or RESTRICT

Type/Domain (pg_type)

Create

  • DAC
    • check superuser privilege or CREATE permission of the namespace, depending on whether base type or not.
    • check ownership of type_in, type_out, type_recv, type_send, type_modin, type_modout and type_analyze functions, if base type.
  • SELinux
    • check permissions to insert a tuple into pg_type catalog, because selinux does not have a specific object class for types, right now.
    • check db_schema:{add_name}
    • check db_procedure:{install} on type_in, type_out, type_recv, type_send, type_modin, type_modout and type_analyze functions.
  • Contextual iniformation
    • name of the new type
    • oid of the namespace
    • oid of the type_in, type_out, type_recv, type_send, type_modin, type_modout and type_analyze functions.

Alter

  • DAC
    • check ownership of the types
    • check CREATE permission of the namespace, if ALTER RENAME TO/SET SCHEMA/OWNER TO
    • check membership of the new owner, if ALTER OWNER TO
  • SELinux
    • check permission to update pg_type catalog (selinux does not have specific object class for types, right now)
    • check db_schema:{add_name remove_name}, if ALTER RENAME TO/SET SCHEMA
  • Contextual iniformation
    • oid of the type
    • oid of the namespace, if SET SCHEMA

Drop

  • DAC
    • check ownership of either type or namespace
  • SELinux
    • check permission to delete a tuple from pg_type catalog, because selinux does not have a specific object class for types, right now.
    • check db_schema:{remove_name}
  • Contextual iniformation
    • oid of the type
    • a flag to inform whether CASCADE or RESTRICT