Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.89) (envelope-from ) id 1iJSo3-0002Ac-LE for pgsql-docs@arkaria.postgresql.org; Sun, 13 Oct 2019 01:36:23 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.89) (envelope-from ) id 1iJSn4-00031g-66 for pgsql-docs@arkaria.postgresql.org; Sun, 13 Oct 2019 01:35:22 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.89) (envelope-from ) id 1iJSn3-00030x-Ia for pgsql-docs@lists.postgresql.org; Sun, 13 Oct 2019 01:35:21 +0000 Received: from mail-pf1-x442.google.com ([2607:f8b0:4864:20::442]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1iJSmz-0005RQ-LU for pgsql-docs@postgresql.org; Sun, 13 Oct 2019 01:35:19 +0000 Received: by mail-pf1-x442.google.com with SMTP id q5so8297566pfg.13 for ; Sat, 12 Oct 2019 18:35:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leadboat.com; s=google; h=date:from:to:subject:message-id:mime-version:content-disposition :user-agent; bh=ypX7qMR3nqtA9b2j9lAhx+Fk4f6y/jTZNbkXKkBV8zo=; b=KWQcTZa2fZGBvfH9wFQc1HKL/Bz3PoCZzcA8N0WHzzkQkUEWMGO7pIf2GQiu7Hv6e+ L0zfWC+CXMH5VSSupl7URA3lOJRl2nB+sgO4YNlDqzkxo28/X67f752M092orRAqSOVz dgUgSqUI45Qob1HzU0ZIO7DgWrVAQ8Uown1Wc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-disposition:user-agent; bh=ypX7qMR3nqtA9b2j9lAhx+Fk4f6y/jTZNbkXKkBV8zo=; b=r50YXj7jcnf66xyJ3m7v8siCQDjBnpzVdnog59CGVxm1xGxny0Gu9e4xqZb9hCoDrL VW6rJw3sUJ8WsBGlWPpmyyymFA63XiC7DVYdvVLK5HDq+DmMGwVKUND4173gm4oxzDv4 Nomkn0bk75mzi0LUfya14+1/fC81jBIfQnBKecBY9hjcZ/iVTjaZArC9bXHwaaVQM3CC Lidq09qo76+GhCl1CxQ2WPrKMUDiCE6o0o6LtUs4TP66xF0Lj8wYjcLzJyKL/zqFzuZN ARGCWsfR0cnL2AQ/ooU2NoOYPqtR41zRSmCdR+TpGyY3JMm+/gVuOOU7BWHxtqo0k62v T/xQ== X-Gm-Message-State: APjAAAXvs1i/zBmYFjJ5+9ylOkepoUw4yLX5uelN31YJvZVCsHA59Fkc OMPz2cbAjucxjTDBcvGZ+7KmpCofJwU= X-Google-Smtp-Source: APXvYqyvnx/EFYx4tQqOx04BeaM1RdvODAXVhTpjzfesfD4Ri+eSzR9ghoMmwVIXenV329zxrp0/xQ== X-Received: by 2002:a63:6b06:: with SMTP id g6mr25327885pgc.104.1570930516028; Sat, 12 Oct 2019 18:35:16 -0700 (PDT) Received: from rfd.leadboat.com (108-233-125-46.lightspeed.sntcca.sbcglobal.net. [108.233.125.46]) by smtp.gmail.com with ESMTPSA id y8sm4741927pgs.34.2019.10.12.18.35.14 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 12 Oct 2019 18:35:15 -0700 (PDT) Date: Sat, 12 Oct 2019 18:35:12 -0700 From: Noah Misch To: pgsql-docs@postgresql.org Subject: Schema Usage Patterns vs. dbowner or CREATEROLE Message-ID: <20191013013512.GC4131753@rfd.leadboat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk When I updated https://www.postgresql.org/docs/devel/ddl-schemas.html#DDL-SCHEMAS-PATTERNS for CVE-2018-1058, I wrote that some schema usage patterns are secure against CREATEROLE users and database owners. That was incorrect. Even with the first pattern, a database owner can attack the database's users via "CREATE SCHEMA trojan; ALTER DATABASE $mydb SET search_path = trojan, public;". A CREATEROLE user can issue "GRANT $dbowner TO $me" and then use the database owner attack. I plan to update this section to assert that all three usage patterns are equally vulnerable to dbowner and CREATEROLE attack. (The technique described under "If untrusted users have access to a database ..." in libpq.sgml remains secure.)