| From: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
|---|---|
| To: | A(dot)M(dot) <agentm(at)themactionfaction(dot)com> |
| Cc: | Pg Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: lowering privs in SECURITY DEFINER function |
| Date: | 2011-04-08 23:20:53 |
| Message-ID: | 1302304657-sup-7248@alvh.no-ip.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Excerpts from A.M.'s message of mié abr 06 19:08:35 -0300 2011:
> That's really strange considering that the new role may not normally
> have permission to switch to the original role. How would you handle
> the case where the security definer role is not the super user?
As I said to Jeff, it's up to the creator of the wrapper function to
ensure that things are safe. Perhaps this new operation should only be
superuser-callable, for example.
> How would you prevent general SQL attacks when manually popping the
> authentication stack is allowed?
The popping and pushing operations would be restricted. You can only
pop a single frame, and pushing it back before returning is mandatory.
--
Álvaro Herrera <alvherre(at)commandprompt(dot)com>
The PostgreSQL Company - Command Prompt, Inc.
PostgreSQL Replication, Consulting, Custom Development, 24x7 support
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2011-04-08 23:30:26 | Re: WIP: Allow SQL-language functions to reference parameters by parameter name |
| Previous Message | Alvaro Herrera | 2011-04-08 23:17:20 | Re: lowering privs in SECURITY DEFINER function |