Hi,
On 2023-01-13 10:04:19 -0800, Jeff Davis wrote:
> However, the normal use case for expressions (whether in a default
> expression or check constraint or whatever) is very simple and doesn't
> even involve table access. There must be a way to satisfy those simple
> cases without opening up a va
On Fri, 2023-01-13 at 00:16 -0800, Andres Freund wrote:
> Just think of set_config(), pg_read_file(), lo_create(),
> binary_upgrade_*(),
> pg_drop_replication_slot()...
Thank you for walking through the details here. I missed it from your
first example because it was an extreme case -- a superuse
On Thu, 2023-01-12 at 19:38 -0800, Andres Freund wrote:
> I.e. the default arguments where evaluated with the invoker's
> permissions, not
> the definer's, despite being controlled by the less privileged user.
This is a very interesting case. It also involves tricking the
superuser into executing
Hi,
On 2023-01-12 23:38:50 -0800, Jeff Davis wrote:
> On Thu, 2023-01-12 at 19:29 -0800, Andres Freund wrote:
> > superuser:
> > # CREATE FUNCTION exec_su(p_sql text) RETURNS text LANGUAGE plpgsql
> > SECURITY DEFINER AS $$BEGIN RAISE NOTICE 'executing %', p_sql;
> > EXECUTE p_sql;RETURN 'p_sql';E
Hi,
On Thu, 2023-01-12 at 19:29 -0800, Andres Freund wrote:
> superuser:
> # CREATE FUNCTION exec_su(p_sql text) RETURNS text LANGUAGE plpgsql
> SECURITY DEFINER AS $$BEGIN RAISE NOTICE 'executing %', p_sql;
> EXECUTE p_sql;RETURN 'p_sql';END;$$;
> # REVOKE ALL ON FUNCTION exec_su FROM PUBLIC ;
T
On 2023-01-12 19:29:43 -0800, Andres Freund wrote:
> Hi,
>
> On 2023-01-12 18:40:30 -0800, Jeff Davis wrote:
> > On Wed, 2023-01-11 at 19:33 -0800, Andres Freund wrote:
> >
> > > and the
> > > privilege check will be done with the rights of the admin in many of
> > > these
> > > contexts.
> >
> >
Hi,
On 2023-01-12 18:40:30 -0800, Jeff Davis wrote:
> On Wed, 2023-01-11 at 19:33 -0800, Andres Freund wrote:
>
> > and the
> > privilege check will be done with the rights of the admin in many of
> > these
> > contexts.
>
> Can you explain?
If the less-privileged user does *not* have execution r
On Wed, 2023-01-11 at 19:33 -0800, Andres Freund wrote:
> and the
> privilege check will be done with the rights of the admin in many of
> these
> contexts.
Can you explain?
> And encouraging more security definer functions to be used will cause
> a lot of
> other security issues.
My proposal j
Hi,
On 2023-01-11 18:16:32 -0800, Jeff Davis wrote:
> Motivation
> ==
>
> SECURITY INVOKER is dangerous, particularly for administrators. There
> are numerous ways to put code in a place that's likely to be executed:
> triggers, views calling functions, logically-replicated tables, casts
