| From: | "Andrew Dunstan" <andrew(at)dunslane(dot)net> |
|---|---|
| To: | "Peter Eisentraut" <peter_e(at)gmx(dot)net> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Fixing insecure security definer functions |
| Date: | 2007-02-14 02:16:57 |
| Message-ID: | 60531.24.211.165.134.1171419417.squirrel@www.dunslane.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Peter Eisentraut wrote:
> Regarding the advisory on possibly insecure security definer functions
> that I just sent out (by overriding the search path you can make the
> function do whatever you want with the privileges of the function
> owner), the favored solution after some initial discussion in the core
> team was to save the search path at creation time with each function.
> This measure will arguably also increase the robustness of functions in
> general, and it seems to be desirable as part of the effort to make
> plan invalidation work.
>
> Quite probably, there will be all sorts of consequences in terms of
> backward compatibility and preserving the possibility of valid uses of
> the old behavior and so on. So I'm inviting input on how to fix the
> problem in general and how to avoid the mentioned follow-up problems in
> particular.
Maybe we need an option on CREATE ... SECURITY DEFINER to allow the
function to inherit the caller's search path.
cheers
andrew
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2007-02-14 02:17:00 | Re: Foreign keys for non-default datatypes, redux |
| Previous Message | Stephen Frost | 2007-02-14 01:24:38 | Re: Fixing insecure security definer functions |