| From: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> |
|---|---|
| To: | ZhangChi <798604270(at)qq(dot)com>, pgsql-bugs <pgsql-bugs(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: BUG #18936: Trigger enable users to modify the tables which hedoesn't have privilege |
| Date: | 2025-05-24 05:09:56 |
| Message-ID: | ca81922f585aeedfb33eeeecb805dfa4a61e072b.camel@cybertec.at |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Sat, 2025-05-24 at 11:06 +0800, ZhangChi wrote:
> However, it is common in some database servers for an attacker to gain minimal privileges
> on a single table within a target database. For instance, when registering an account on a
> service, the system might grant the user access to a dedicated table. Using the TRIGGER
> mechanism as I showed, such an attacker could then delete or exfiltrate data from other
> tables beyond their authorized access. Notably, this attack doesn't require superuser
> privileges - only access to the two relevant tables.
>
> Permitting users to create triggers that can affect tables beyond their privilege scope
> appears to be a problematic design choice. Such triggers may be inadvertently executed
> by privileged users without their knowledge, creating potential security vulnerabilities.
The effects of a trigger are limited by the permissions of the executing user or
(in the case of SECURITY DEFINER) the owner of the trigger function.
Therefore, as I said, it is commendable never to do DML as a superuser.
There are cases where superusers perform DML, like restoring a pg_dump.
PostgreSQL takes great care that nothing can go wrong in these cases.
Yours,
Laurenz Albe
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Chris Gooch | 2025-05-24 10:01:05 | Re: [EXT] Re: GSS Auth issue when user member of lots of AD groups |
| Previous Message | ZhangChi | 2025-05-24 03:06:24 | Re: BUG #18936: Trigger enable users to modify the tables which hedoesn't have privilege |