pg_parameter_aclcheck() and trusted extensions

From: Nathan Bossart <nathandbossart(at)gmail(dot)com>
To: pgsql-hackers(at)postgresql(dot)org
Subject: pg_parameter_aclcheck() and trusted extensions
Date: 2022-07-06 22:47:27
Message-ID: 20220706224727.GA2158260@nathanxps13
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

Hi hackers,

I found that as of a0ffa88, it's possible to set a PGC_SUSET GUC defined by
a trusted extension as a non-superuser. I've confirmed that this only
affects v15 and later versions.

postgres=# CREATE ROLE testuser;
postgres=# GRANT CREATE ON DATABASE postgres TO testuser;
postgres=# SET ROLE testuser;
postgres=> SET plperl.on_plperl_init = 'test';
postgres=> CREATE EXTENSION plperl;
postgres=> SELECT setting FROM pg_settings WHERE name = 'plperl.on_plperl_init';
(1 row)

On previous versions, the CREATE EXTENSION command emits the following
WARNING, and the setting does not take effect:

WARNING: permission denied to set parameter "plperl.on_plperl_init"

I think the call to superuser_arg() in pg_parameter_aclmask() is causing
set_config_option() to bypass the normal privilege checks, as
execute_extension_script() will have set the user ID to the bootstrap
superuser for trusted extensions like plperl. I don't have a patch or a
proposal at the moment, but I thought it was worth starting the discussion.

Nathan Bossart
Amazon Web Services:


Browse pgsql-hackers by date

  From Date Subject
Next Message Steve Chavez 2022-07-06 23:15:45 Fwd: Add red-black tree missing comparison searches
Previous Message David G. Johnston 2022-07-06 22:07:46 Re: BUG #17540: Prepared statement: PG switches to a generic query plan which is consistently much slower