Search Postgresql Archives

Re: Seeking practice recommendation: is there ever a use case to have two or more superusers?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/18/22 15:08, Peter J. Holzer wrote:
On 2022-11-17 11:36:15 -0800, Bryn Llewellyn wrote:
The detail below leads to a simply stated question:

Given that the bootstrap superuser must exist, is there ever a reason to create
another role with "superuser"?

My intuition tells me that the answer is a resounding "No!".
Is there ever a reason? Yes. Does that reason apply to you? I don't know.
Maybe, maybe not.


— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — 
I wondered, at first, if it might be a good practice to create a
second superuser, say "super" with "login", to alter the bootstrap
superuser with "nologin", and then to use "super" on an "ordinary"
daily basis for tasks that might need this. The thought was that this
practice might protect the artifacts that the bootstrap superuser owns
from damage. But this thought dissolved into thin air, before it was
fully formed, on the realization that the unstoppable "super" could
anyway do arbitrary damage to the bootstrap superuser's artifacts.
You could create additional superusers and restrict those to certain
databases and/or IP ranges. That probably won't stop an attacker (I can
think of at least one way to get around that and it's probably even
easier than I think) but it might prevent accidental damage.


The implication is clear: you should allow a cluster to have just a single
superuser, the inevitable bootstrap superuser, and you should think very
carefully indeed before ever starting a session as this role because of the
risks that doing so brings. Rather, you should realize that there are hardly
any tasks that cannot be carried out by an appropriately configured role with
"nosuperuser".
One important task that can AFAIK only be performed by superusers is the
creation of functions in untrusted languages like plpython3u and
plperlu.

If your application uses functions in those languages you need a
superuser to install or upgrade it.

        hp

Yes, there is such a reason. On several servers that I have to work with, the user "postgres" is not a log-in user. In other words, I can't log in as "postgres", I can only log in as my own user and su to the user "postgres". All users must be authenticated by the LDAP system and the user "postgres" is not in the LDAP. Since I am lazy, I granted superuser privilege to my own user so that I don't have to switch to the user "postgres" every time I want to do something that affects everybody, like using "ALTER SYSTEM". I am also a member of the "dba" group on the Oracle servers, so that I can do "sqlplus / as sysdba" without switching to the user "oracle". It's the same thing. If I was to respond by a single word, the word would be "convenience". Or maybe "covfefe"?

-- 
Mladen Gogala
Database Consultant
Tel: (347) 321-1217
https://dbwhisperer.wordpress.com

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]

  Powered by Linux