Skip site navigation (1) Skip section navigation (2)

Probably a security bug in PostgreSQL rule system

From: "Sergey N(dot) Yatskevich" <syatskevich(at)n21lab(dot)gosniias(dot)msk(dot)ru>
To: bugs-list PostgreSQL <pgsql-bugs(at)postgresql(dot)org>
Subject: Probably a security bug in PostgreSQL rule system
Date: 2004-01-10 23:30:43
Message-ID: 1073777442.8400.9.camel@snc.n21lab.gosniias.msk.ru (view raw or flat)
Thread:
Lists: pgsql-bugspgsql-general
At begin some citations from PostgreSQL documentation:

<citation>
34.4. Rules and Privileges

<skip/>
Rewrite rules don't have a separate owner. The owner of a relation
(table or view) is automatically the owner of the rewrite rules that are
defined for it. The PostgreSQL rule system changes the behavior of the
default access control system. Relations that are used due to rules get
checked against the privileges of the rule owner, not the user invoking
the rule. <note>This means that a user only needs the required
privileges for the tables/views that he names explicitly in his
queries</note>.
<skip/> 
<note>This mechanism also works for update rules</note>. In the examples
of the previous section, the owner of the tables in the example database
could grant the privileges SELECT, INSERT, UPDATE, and DELETE on the
shoelace view to someone else, but only SELECT on shoelace_log. The rule
action to write log entries will still be executed successfully, and
that other user could see the log entries. But he cannot create fake
entries, nor could he manipulate or remove existing ones.
</citation>

Next -- test and it's output, that shows, that if view has INSERT,
UPDATE and DELETE rules then _ANY_ user can insert, update and delete
data in tables, that affected by this rules even user has no INSERT,
UPDATE and DELETE privileges on view and table.

This problem exists for at least 7.3.4 and 7.4.1 PostgreSQL versions.

This is very strange and I'm not sure that I understand all true.

P.S. Please help me solve this problem ASAP.

P.P.S. Sorry for my bad english, but I hope You understand me.

-- 
Sergey N. Yatskevich <syatskevich(at)n21lab(dot)gosniias(dot)msk(dot)ru>
GosNIIAS

Attachment: privilege_test-7.4.1.out
Description: text/plain (3.3 KB)
Attachment: privilege_test-7.3.4.out
Description: text/plain (3.3 KB)
Attachment: privileges_test.sql
Description: text/x-sql (4.4 KB)

Responses

pgsql-bugs by date

Next:From: Peter EisentrautDate: 2004-01-11 19:52:54
Subject: Re: BUG #1044: snprintf() shipped with PostgreSQL is not
Previous:From: PostgreSQL Bugs ListDate: 2004-01-10 22:46:20
Subject: BUG #1048: error connection to dbms from java app server

pgsql-general by date

Next:From: Thomas KellererDate: 2004-01-11 00:07:08
Subject: Re: Any way to SELECT a list of table names?
Previous:From: Cornelia BoenigkDate: 2004-01-10 23:02:12
Subject: Re: Problem with date calculations

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group