From: | Mark Dilger <mark(dot)dilger(at)enterprisedb(dot)com> |
---|---|
To: | Michael Paquier <michael(at)paquier(dot)xyz> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Alvaro Herrera <alvherre(at)alvh(dot)no-ip(dot)org>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: pg_amcheck option to install extension |
Date: | 2021-04-20 05:31:18 |
Message-ID: | FF80A50B-96BE-457F-B115-D65FF50CE50E@enterprisedb.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
> On Apr 19, 2021, at 9:22 PM, Michael Paquier <michael(at)paquier(dot)xyz> wrote:
>
> On Mon, Apr 19, 2021 at 08:39:06PM -0700, Mark Dilger wrote:
>> This is a classic privilege escalation attack. Bob has one
>> privilege, and uses it to get another.
>
> Bob is a superuser, so it has all the privileges of the world for this
> instance. In what is that different from BASE_BACKUP or just COPY
> FROM PROGRAM?
I think you are conflating the concept of an operating system adminstrator with the concept of the database superuser/owner. If the operating system user that postgres is running as cannot execute any binaries, then "copy from program" is not a way for a database admistrator to escape the jail. If Bob does not have ssh access to the system, he cannot run pg_basebackup.
> I am not following your argument here.
The argument is that the operating system user that postgres is running as, perhaps user "postgres", can read the files in the $PGDATA directory, but Bob can only see the MVCC view of the data, not the raw data. Installing contrib/amcheck allows Bob to get a peak behind the curtain.
—
Mark Dilger
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
From | Date | Subject | |
---|---|---|---|
Next Message | Andy Fan | 2021-04-20 05:32:05 | Re: 2 questions about volatile attribute of pg_proc. |
Previous Message | Michael Paquier | 2021-04-20 05:09:18 | Re: Table refer leak in logical replication |