Re: PG16.1 security breach?

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Joe Conway <[email protected]>
To: Zwettler Markus (OIZ) <[email protected]>
To: [email protected] <[email protected]>
Subject: Re: PG16.1 security breach?
Date: Fri, 7 Jun 2024 09:22:21 -0400
Message-ID: <[email protected]> (raw)
In-Reply-To: <GV0P278MB00996776669F54A7EADB64688BFB2@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
References: <GV0P278MB00996776669F54A7EADB64688BFB2@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>

On 6/7/24 07:04, Zwettler Markus (OIZ) wrote:
> I am running the following on Postgres 16.1 in database "postgres" as a 
> superuser:

<snip>

> create or replace function oiz.f_set_dbowner (p_dbowner text, p_dbname text)

<snip>

> create role testuser with password 'testuser' login;

<snip>

> than this new role is able to execute the function oiz.f_set_dbowner 
> immediately even I did not grant execute on this function to this role!

See:
https://www.postgresql.org/docs/current/sql-createfunction.html

In particular, this part:
8<------------------------
Another point to keep in mind is that by default, execute privilege is 
granted to PUBLIC for newly created functions (see Section 5.7 for more 
information). Frequently you will wish to restrict use of a security 
definer function to only some users. To do that, you must revoke the 
default PUBLIC privileges and then grant execute privilege selectively. 
To avoid having a window where the new function is accessible to all, 
create it and set the privileges within a single transaction. For example:
8<------------------------

HTH,

-- 
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com

view thread (7+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: PG16.1 security breach?
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox