Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sGbDn-00Evhq-Ki for pgsql-general@arkaria.postgresql.org; Mon, 10 Jun 2024 09:21:48 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sGbDm-00A1o2-86 for pgsql-general@arkaria.postgresql.org; Mon, 10 Jun 2024 09:21:47 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sGbDl-00A1nu-SA for pgsql-general@lists.postgresql.org; Mon, 10 Jun 2024 09:21:46 +0000 Received: from mail-ed1-x530.google.com ([2a00:1450:4864:20::530]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sGbDk-000uQI-G1 for pgsql-general@lists.postgresql.org; Mon, 10 Jun 2024 09:21:46 +0000 Received: by mail-ed1-x530.google.com with SMTP id 4fb4d7f45d1cf-57c7440876bso1677929a12.0 for ; Mon, 10 Jun 2024 02:21:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cybertec-at.20230601.gappssmtp.com; s=20230601; t=1718011303; x=1718616103; darn=lists.postgresql.org; h=mime-version:user-agent:content-transfer-encoding:autocrypt :references:in-reply-to:date:cc:to:from:subject:message-id:from:to :cc:subject:date:message-id:reply-to; bh=5d/KAIr8D/D3d6B2rwIkOvtCS+WSxP7773OIjRpSUQk=; b=UMcnl0i51MEsOQ7C+aqEOKvJBFDokHcYS38XTwRAQFsI0S1DmpN9gxoL7fc73Tqvvl E2XLe31TsUHQBbokonD4nFR7zQTS9rwOTueG2sLyy3IgaKtB5f8eVbvXN+9L+TWkiR3J tQn66bmPGtOdSRJfgrqisFPW7cXvvI1OAtPHcm3ef8y0+fTZobsslRdg50Q14X4oW0XM pZGwVTnaW7y0EvN9M1n3vDrLQG9WRBBvroVP6rv3vDn1dW6tqLe3YYMk5voriuUWZG+U RIkqGElOGoeJvfjyX/wxXKt1L5Nr9q17tegiBklSIQnwYg2VduYzrBhmM4V8rR+rxCRv OtyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718011303; x=1718616103; h=mime-version:user-agent:content-transfer-encoding:autocrypt :references:in-reply-to:date:cc:to:from:subject:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=5d/KAIr8D/D3d6B2rwIkOvtCS+WSxP7773OIjRpSUQk=; b=Umh65xyPH31VO/RZIVSzk0kY4Gk24Fes627GRDSPzoDGipbGu+/24+PLBkx2EGWuhv 4jxPdZvNqI0tMM3ZJYzGn37O/8hOD7ePNfgji6NDIPC8Wihwwl3d2hk5GCG8KcjYrPy1 9zPqP+3uKAEJF5Dx9UtHq/gEGTpwBEDqulPv4LXzxIexU5iqBrTzzMokPWF8CXMhapwL U9HUZoRWIZi+vZ6CGcaIF4QLNwOhqt1WeGmtV1kITx5+2m2DbYL40ZkRbozZXxHLDLTa DCD0vUrNTcKr7HxG833mucd+uqAu/R4KFdCTUWqREUA5tqDLjsc/6avgoutUDP7JJqgb X2IA== X-Forwarded-Encrypted: i=1; AJvYcCWJw4D3hZmh7F4ghuoCn3zyfIh7tpLLelvJsaCrGe88lfHg6F7Eh+U7/bPx5V0G/iNm2hi4tzhAYlOAwExTw9doWkS1zT6+tMfEH0aLHwBmjGiy X-Gm-Message-State: AOJu0Yyxxe7tAaL8ObNozomlVXU6j0JvoiIjtLSuWRUnl4Lifb3RrXeP RsLbgc9CVIWDvcAhK0YrCUrxnAHFLrQhQy3DkBuiefrfliaRGDCy+9YsriPjqEw= X-Google-Smtp-Source: AGHT+IHfSgoNqFWQPTrAaILJdSrbY7MOyln62iPAnZZqIHSXhYZYkhivNbTrRJ5cMKHGBHo2HPQxZA== X-Received: by 2002:a50:a40a:0:b0:57c:6b62:9c12 with SMTP id 4fb4d7f45d1cf-57c6b629f8emr3387167a12.41.1718011303304; Mon, 10 Jun 2024 02:21:43 -0700 (PDT) Received: from localhost.localdomain ([2001:871:5e:83d3:f77f:74f6:fd3d:c6f1]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-57c67432820sm4555082a12.75.2024.06.10.02.21.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 Jun 2024 02:21:43 -0700 (PDT) Message-ID: <416045c0e7deac5b9f25e5fc89beec2a702a0b4c.camel@cybertec.at> Subject: Re: PG16.1 security breach? From: Laurenz Albe To: "David G. Johnston" Cc: "Zwettler Markus (OIZ)" , Joe Conway , "pgsql-general@lists.postgresql.org" Date: Mon, 10 Jun 2024 11:21:42 +0200 In-Reply-To: References: <8c533be4-5ed8-4658-86b6-212fb2d4d1a3@joeconway.com> <6d223a4891287cfb08b720103faef2da1b5719f3.camel@cybertec.at> Autocrypt: addr=laurenz.albe@cybertec.at; prefer-encrypt=mutual; keydata=mQINBGGDwAQBEADgbWy5cKXQld3N2mF+DFyiNFbi2oBl2T+XgxpPF8wTRw2D/u4bBKXP0SYSE/lA86jIVNWWU0gf1KODIkVvgJm2w4vH2VBV1b7ddVViGl1Iu+9zaRnv9wulhnH42KefepXnoean6UT1EzLM0opF/Ik0j+40TxdRtobkBprkQUyHDXWlHc2ffPs3SipyFEP9AVLf7ejRC46CXWDnsqjOBSMEW8Z4HiK/8RrPZBsKLts8dJxKF4pygOdJb0CWk8k/X1jbcfdxo+zOLjOMvJcSJ2pFdJmQHU+JufB3rePziqQ2S9Ur6sccr9XnTC1GVBWN4Lf5VHq+vf+bFJjVwg+2hrySZnAVfcOrxoqFLErr7ug1zN2nM1kcpgA4VWn4gxlJtYNYYq+9WxX5dtvnNANlG3ZCrRKQzl8lxtzoF6Zo7LUhEqPaHDwn7Rvs+IdbOn41lF5UDTJGqmC4gS/bZydW2Fy3YWm4aSaN9fgFf8D+PVkrlKAZB7gBLz1TyHjbcRf85cYF+GKKrDld5SzMB/V60VX3oP/Eo8ikFpyWaqiz1f9X7MBot3/PjJkY+wDzp3nmb19QEcOBuQiSQ4xds2r0HewbuHTAR68u8jNNMGmpm2j4x+g09Jd/WQDjqlTBZ/jEltH41fYCCPWMfljXTOOXu2eLNGdfi7ETZogtwjM9oTtSPQARAQABtCdMYXVyZW56IEFsYmUgPGxhdXJlbnouYWxiZUBjeWJlcnRlYy5hdD6JAk4EEwEIADgWIQR0CqhbZGGABqoaSbdi8bhXA2EdmAUCYYPABAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBi8bhXA2EdmM/6EADK232JCwmBzhlj8h7U9CjG6kx0JHP3uJGv+XfsHtHAlmY/RCwF1BHMEsRlk bT5UrLvJ2jb99bA9QARzhFaxzyn0F/BUKzuIjRGNs/n6d5dNUFA0kOt8sX+TacmC GEyjEBCrVCm4ranBiUyePn9NhHNWnaex7pJyqvMLLdwW9BEMJx0Fqo+DN8ukbXmYRsmhEtd3ue+x/luYmOmJnaGtzInaY5aOJYbW9XqoRIZkZvOCgbi1FfvNmoqWa+3oVxTOgw9RafjJDyW0lTHzKGjbGI5ofMU98l+/hKJFYJqWUF6VpFJY5YIcN/1lf4ZICMwDl+MPIVo/tpq8L10seJL28nLlvw3K+cI+TVW8IW/qL/LyVoDofI3USeOORuYmhpWRhik8JXX6xf3v6GrRilJIPWNFIJbxm1ZblQiQnOw3IOW7T+8nAmPin1HKqM3VrOrJQ2VtShsefNBibNAsr1oFaqcDBkn3yGG8i6CTW+FyO4PZ+/EwNxMVgktxbYdy5AT1/lpXr5tB+phhLIyVfiBvrWs5EThxYMQ/L8Y85c3GMsAy1l/x4h3jqySIYy3SCU9+jc5UVuNnXljbvkEzJ+NLWJ6C1rACFWrMszgPdh5tCrlRY9PpmYll4JbCgb8BtxEIUmR+xr50/ZElEK5iml7Q00KUekCcDt+36PsyGFTXBzNOrkCDQRhg8AEARAAzOZ2tLHlI4rrhG411h6cdCFjBZxuljaFCxFyHn3m6wbGLqwBUWC5k8UrRqjHMz88KcTSaNO7XGAmCqPdWd2SeflPZRnNTbjsVpw7mLdffsBm4JX7kki2Pvk5h0NtYeidXT1PSpc2ri4DutYXuT9uD8RAm1wUDCE5HQNUihT/WH6opt+hskHW21uHao0+y822tG0QQcGMqdQR5Vxdxj89wiEPdqW+HpU/oOZIhrf2E7prduAppxixjHy/o1rcnoznnJvc8D3+YgI9O0LrBMij89dM55pRGbLovTR1oGR3U74sX774+0xmSzeIKwZfiMUz7Atlvfk5SHOsRUFPN2Ux9kaXiiBibQpHFxt7b lDrT4wxdLJ/XCdbPPAyl+lZtOLsaHEEZvYNyTXwZc35dVf3R4/oz20HoG6s7ct8e1 AQygj43XAERzty9SkWgxs8+grp1PrGx6FHVSYRqBM8dS/ZR6yRVwOwJXPyaSSqfIF21DkE4j1y4n+ItSewPGoRp8K/yWCikt6qlkVkO2ASNIiX04fAbtzwVOaNn8ZMRNqyvLc1fED4sr49onE4cAIcBLjcC3KL+w9DUGRQCdziROj5H2Yl/sXGPdMciUHo/Uz2rggc+2th3bQiMhrHWSsBpUkDQp0yWewemstPpPgBL3h2fHKaX8B9oH5Qu/H1IgrOuX8AEQEAAYkCNgQYAQgAIBYhBHQKqFtkYYAGqhpJt2LxuFcDYR2YBQJhg8AEAhsMAAoJEGLxuFcDYR2YuPwQAMkpGtR80pQ1gVsONhdkqj0H2eU66efP/gO3CoyaoIcvrpKYj7C2HipVSmkt1gpByL0X4AMQ/vKuknUz3wd28Ba+G1dCfbVs/Xiusq+SmpUj5rTwmYqdSjWMuCo1R6oS5hdJMdUUJYGMT0QkVlm1KnW8jkmCTl9GzjDxOAsN9O6/6lPzaGFtk9XF+34Bry/N4HKiJkqpC4+UTd0AprPfzJ2jdT64e1F0+W88X8y1bTTgNrHwK4mDiLnlE4SKRuEm54lNhJz//ar86Or5BErzNpM6TL7lk44QS06hwsMrEdKIy8J/SYJPjfzR8tIUnKscclVpOgjKaBqC+0iFiVaRqAgfOlIEiezX6kMh5Q2FIUfqs46qWhhXjRrdKOEoStYAaikdLu5ZXr7vfb0ZaDh+ZwTQtbSMFolyOkecwI81MCdbMfT/1TqIGTOdAj5as9fAakk0jb2pXgUYQ8X1DVTR8ahSDVEaw9VTmWiSvTxvguVJ1Mb7gG4Gmh6aviDTJhfXtH4rPUNXhDLqrTH8JkJjyKROOMakIF68Hjse5vUfUxreBEOtb5r1Coa2Fe7ncJayaSE7ryrDbFqpZ 36UMAx4ulWMyqJajLNGY0DdG8qIsR5nxRhrnK/mrCidZ8F9/D3bWAl4rjtHlsztN59 +AnW5l0HsQcY9ntFL/zEBOaonjdJf Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.50.4 (3.50.4-1.fc39) MIME-Version: 1.0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Fri, 2024-06-07 at 07:42 -0700, David G. Johnston wrote: > On Friday, June 7, 2024, Laurenz Albe wrote: > > On Fri, 2024-06-07 at 13:54 +0000, Zwettler Markus (OIZ) wrote: > > > > Another point to keep in mind is that by default, execute privilege= is granted to > > > > PUBLIC for newly created functions (see Section 5.7 for more inform= ation). > > >=20 > > > Argh. No! What a bad habit! > > >=20 > > > Might be good idea for an enhancement request to create a global para= meter to disable this habit. > >=20 > > I don't see the problem, since the default execution mode for functions= is > > SECURITY INVOKER. > >=20 > > But you can easily change that: > >=20 > > =C2=A0 ALTER DEFAULT PRIVILEGES FOR ROLE function_creator REVOKE EXECUT= E ON FUNCTION FROM PUBLIC; >=20 > You named function_creator here when in this example the role creating th= e new object is postgres. Then use "postgres" rather than "function_creator". An ALTER DEFAULT PRIVILEGES statement always only changes default privilege= s for objects created by a certain user. > How is it that the default privilege granted to public doesn=E2=80=99t se= em to care who the object creator > is yet when revoking the grant one supposedly can only do so within the s= cope of a single role? I don't understand what you wrote. ALTER DEFAULT PRIVILEGES also only appl= ies to objects created by a single role when you grant default privileges. Yours, Laurenz Albe