ldap2pg icon indicating copy to clipboard operation
ldap2pg copied to clipboard
verified publisher icon dalibo

Panic on inexistant ACL [was: Grant execute on specific functions only ?]

Open dani opened this issue 2 years ago • 1 comments

What do you want?

I'm trying to grant minimal privileges to a role so it can use rewind, as detailed here

GRANT EXECUTE ON function pg_catalog.pg_ls_dir(text, boolean, boolean) TO rewind_user;
GRANT EXECUTE ON function pg_catalog.pg_stat_file(text, boolean) TO rewind_user;
GRANT EXECUTE ON function pg_catalog.pg_read_binary_file(text) TO rewind_user;
GRANT EXECUTE ON function pg_catalog.pg_read_binary_file(text, bigint, bigint, boolean) TO rewind_user;

But I'm having a hard time trying to express this in ldap2pg.yml

ldap2pg.yml

I tried with this


privileges:
  rewinder:
    - __connect__
    - type: EXECUTE
      on: function pg_catalog.pg_ls_dir(text, boolean, boolean)
    - type: EXECUTE
      on: function pg_catalog.pg_stat_file(text, boolean)
    - type: EXECUTE
      on: function pg_catalog.pg_read_binary_file(text)
    - type: EXECUTE
      on: function pg_catalog.pg_read_binary_file(text, bigint, bigint, boolean)

rules:
  - grant:
      role: rewind
      privileges:
        - rewinder
      databases: postgres

But then ldap2pg panic

time=2023-09-19T11:33:02.795Z level=INFO msg="Starting ldap2pg" version=v6.0 runtime=go1.20.5 commit=023e6933
time=2023-09-19T11:33:02.795Z level=INFO msg="Using YAML configuration file." path=/secrets/ldap2pg.yml
time=2023-09-19T11:33:02.822Z level=INFO msg="Running as superuser." user=postgres super=true server="PostgreSQL 15.4" cluster=postgres database=postgres
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x38 pc=0x8421ae]

goroutine 14 [running]:
github.com/dalibo/ldap2pg/internal/privilege.(*Grant).Normalize(0xc000078180)
	/workspace/internal/privilege/grant.go:48 +0x12e
github.com/dalibo/ldap2pg/internal/wanted.Step.generateGrants.func1()
	/workspace/internal/wanted/step.go:252 +0x218
created by github.com/dalibo/ldap2pg/internal/wanted.Step.generateGrants
	/workspace/internal/wanted/step.go:248 +0x12c

I can live with granting execute on all functions, but would like to understand if it's possible at all to grant execute on specific functions

dani avatar Sep 19 '23 11:09 dani

Hi, Thanks for the feedback.

on is not an SQL statement. on references a builtin ACL as documented at https://ldap2pg.readthedocs.io/en/latest/builtins/#acl-reference .

privileges:
  rewinder:
  - type: EXECUTE
    on: ALL FUNCTIONS IN SCHEMA

ldap2pg does not handle (yet) per object privilege. See #269 for this. For now, the finest level of privilege management in ldap2pg is schema.

However, the segfault is a bug. So please keep this issue opened until I fix this.

bersace avatar Sep 19 '23 12:09 bersace

fixed in #613

pirlgon avatar May 02 '24 08:05 pirlgon