Re: BUG #18936: Trigger enable users to modify the tables which he doesn't have privilege

From: Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at>
To: 798604270(at)qq(dot)com, pgsql-bugs(at)lists(dot)postgresql(dot)org
Subject: Re: BUG #18936: Trigger enable users to modify the tables which he doesn't have privilege
Date: 2025-05-21 06:17:53
Message-ID: c842110a59d8c273c2edecc3510e2c3a4bca3d3c.camel@cybertec.at
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

On Tue, 2025-05-20 at 13:07 +0000, PG Bug reporting form wrote:
> If an attacker gains privileges on a table, they can exploit triggers to
> modify or exfiltrate data from other tables, provided the trigger can be
> activated by either a superuser or a user with privileges on the target
> tables.

That's working as designed.
If a superuser performs a data modification on a table owned by an
untrustworthy user, it is "game over".
That is one of the reasons why you should use a superuser only for tasks
that require superuser privileges.

Yours,
Laurenz Albe

In response to

Browse pgsql-bugs by date

  From Date Subject
Next Message Amit Kapila 2025-05-21 11:12:15 Re: Logical replication 'invalid memory alloc request size 1585837200' after upgrading to 17.5
Previous Message Amit Kapila 2025-05-21 05:48:24 Re: Logical replication 'invalid memory alloc request size 1585837200' after upgrading to 17.5