From: | Jeff Davis <pgsql(at)j-davis(dot)com> |
---|---|
To: | Andres Freund <andres(at)anarazel(dot)de> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Blocking execution of SECURITY INVOKER |
Date: | 2023-01-13 07:38:50 |
Message-ID: | 2c4823f1293a065b053ec556eff9a8767ea93ad5.camel@j-davis.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Hi,
On Thu, 2023-01-12 at 19:29 -0800, Andres Freund wrote:
> superuser:
> # CREATE FUNCTION exec_su(p_sql text) RETURNS text LANGUAGE plpgsql
> SECURITY DEFINER AS $$BEGIN RAISE NOTICE 'executing %', p_sql;
> EXECUTE p_sql;RETURN 'p_sql';END;$$;
> # REVOKE ALL ON FUNCTION exec_su FROM PUBLIC ;
That can be solved by creating the function in a schema where ordinary
users don't have USAGE:
CREATE TABLE trick_superuser(value text default admin.exec_su('ALTER
USER less_privs SUPERUSER'));
ERROR: permission denied for schema admin
An interesting case, but it looks more like a gotcha (which is solvable
with best practices); not a fundamental problem.
> The point of the grant system is for a privileged user to safely
> allow a less privileged user to perform a safe subset of actions.
There is not necessarily a GRANT hierarchy like you describe. The two
users can be peers each with comparable privileges that might make
grants to each other.
> And the admin likely can switch into the user context of
> the less privileged user to perform operations in a safer context.
How would the admin do that? The malicious UDF can just "RESET SESSION
AUTHORIZATION" to pop back out of the safer context.
If there's not a good way to do this safely now, then we should
probably provide one.
> >
Regards,
--
Jeff Davis
PostgreSQL Contributor Team - AWS
From | Date | Subject | |
---|---|---|---|
Next Message | Michael Paquier | 2023-01-13 07:54:58 | Re: Generating code for query jumbling through gen_node_support.pl |
Previous Message | Andres Freund | 2023-01-13 07:23:46 | Re: PL/Python: Fix return in the middle of PG_TRY() block. |