From: | Marcin Barczyński <mba(dot)ogolny(at)gmail(dot)com> |
---|---|
To: | pgsql-general(at)lists(dot)postgresql(dot)org |
Subject: | Inconsistent permission enforcement for schemas |
Date: | 2022-08-01 15:48:34 |
Message-ID: | CAK61bT-uP8rS9fYyc8SEjUNvXfra51+iaRchncnuzk2XJ=Cthg@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Hello,
Why can a user access a table from a forbidden schema if the table is
explicitly specified in the definition of a view in an allowed schema? And
not if the table is accessed by a function used in the view.
Example:
```
DROP SCHEMA IF EXISTS forbidden_schema CASCADE;
DROP SCHEMA IF EXISTS allowed_schema CASCADE;
DROP FUNCTION IF EXISTS func CASCADE;
DROP USER IF EXISTS pinky;
CREATE SCHEMA forbidden_schema;
CREATE TABLE forbidden_schema.demo AS SELECT 1;
CREATE SCHEMA allowed_schema;
CREATE OR REPLACE FUNCTION func() RETURNS BIGINT AS
$$
DECLARE
i BIGINT;
BEGIN
SELECT * INTO i FROM forbidden_schema.demo;
RETURN i;
END;
$$ LANGUAGE plpgsql;
CREATE VIEW allowed_schema.can_see AS SELECT * FROM forbidden_schema.demo;
CREATE VIEW allowed_schema.cannot_see AS SELECT * FROM func();
CREATE ROLE pinky LOGIN NOSUPERUSER PASSWORD 'pinky';
GRANT ALL PRIVILEGES ON SCHEMA allowed_schema TO pinky;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA allowed_schema TO pinky;
```
And now, as user pinky:
```
q=> SELECT * FROM allowed_schema.can_see;
?column?
----------
1
(1 row)
q=> SELECT * FROM allowed_schema.cannot_see;
ERROR: permission denied for schema forbidden_schema
LINE 1: SELECT * FROM forbidden_schema.demo
^
QUERY: SELECT * FROM forbidden_schema.demo
CONTEXT: PL/pgSQL function func() line 5 at SQL statement
```
Best regards,
Marcin Barczyński
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2022-08-01 16:49:51 | Re: Inconsistent permission enforcement for schemas |
Previous Message | Guillaume Lelarge | 2022-08-01 13:18:35 | Re: "set autocommit on" in golang client query |