| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Martijn van Oosterhout <kleptog(at)svana(dot)org>, Alvaro Herrera <alvherre(at)alvh(dot)no-ip(dot)org>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: temporary functions (and other object types) |
| Date: | 2010-11-06 17:09:49 |
| Message-ID: | AANLkTinWTm2rvJg+Xd3WTTjYJOZsQ=CKP-7dr-jCUiar@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Sat, Nov 6, 2010 at 11:36 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Martijn van Oosterhout <kleptog(at)svana(dot)org> writes:
>> On Fri, Nov 05, 2010 at 09:01:50PM -0400, Robert Haas wrote:
>>> I see that there could be a problem here with SECURITY DEFINER
>>> functions, but I'm not clear whether it goes beyond that?
>
>> IIRC correctly it's because even unpriveledged users can make things in
>> the pg_temp schema and it's implicitly at the front of the search_path.
>> There was a CVE about this a while back, no?
>
> Yeah, we changed that behavior as part of the fix for CVE-2007-2138.
> You'd need either SECURITY DEFINER functions or very careless use of
> SET ROLE/SET SESSION AUTHORIZATION for the issue to be exploitable.
Would it be practical to let foo() potentially mean pg_temp.foo()
outside of any SECURITY DEFINER context?
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David Fetter | 2010-11-06 17:17:05 | Re: Query Plan Columns |
| Previous Message | Tom Lane | 2010-11-06 17:07:19 | Re: Should we use make -k on the buildfarm? |