Re: [BUGS] BUG #4074: Using SESSION_USER or CURRENT_USER in a view definition is unsafe

Heikki Linnakangas Mon, 31 Mar 2008 14:40:25 -0700

Lars Olson wrote:

Creating a view that depends on the value of SESSION_USER enables a
minimally-privileged user to write a user-defined function that contains a
trojan-horse to get arbitrary data from the base table.  Using CURRENT_USER
instead still enables a similar vulnerability.


To reproduce the problem, create three users, alice (base table owner), bob
(attacker), and carol (other minimally-privileged user).  As Alice, create
the following table and view:
...

This seems to be an instance of the general trojan-horse problemdiscussed here:


http://archives.postgresql.org/pgsql-hackers/2008-01/msg00268.php

In a nutshell, it's just not safe to access a view or function owned bya user you don't trust. :-(


--
  Heikki Linnakangas
  EnterpriseDB   http://www.enterprisedb.com

--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs

Re: [BUGS] BUG #4074: Using SESSION_USER or CURRENT_USER in a view definition is unsafe

Reply via email to