Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sFZY4-003aEh-Qg for pgsql-general@arkaria.postgresql.org; Fri, 07 Jun 2024 13:22:29 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sFZY3-00ByUc-3A for pgsql-general@arkaria.postgresql.org; Fri, 07 Jun 2024 13:22:27 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sFZY2-00ByUU-E1 for pgsql-general@lists.postgresql.org; Fri, 07 Jun 2024 13:22:27 +0000 Received: from mail-yw1-x112b.google.com ([2607:f8b0:4864:20::112b]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sFZY0-000A8a-4y for pgsql-general@lists.postgresql.org; Fri, 07 Jun 2024 13:22:25 +0000 Received: by mail-yw1-x112b.google.com with SMTP id 00721157ae682-62a08099115so22668027b3.0 for ; Fri, 07 Jun 2024 06:22:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joeconway.com; s=google; t=1717766542; x=1718371342; darn=lists.postgresql.org; h=content-transfer-encoding:in-reply-to:autocrypt:from :content-language:references:to:subject:user-agent:mime-version:date :message-id:from:to:cc:subject:date:message-id:reply-to; bh=Kga62AdIa3i2c83SLIMEIEKJV122RIkdB9yYIgmWVy4=; b=WX1QSi3pn9Mh1PbmcAUl8WT+V3LfPe/rR0W1kz35gQKlTQ/aFI0USFqIs17AS+EoVg i5UnBwRQZPjhYzdIG/yvl4CLnxWa3vJ4afOjzpO+aum64wCniD2odHKXGIRI3/4dhhfD nJjAstr96wdmQst0TcEpHIJ5ILLT7u/UXvYWtnhdfmB3hzeFopu6BiLFUybG/CUntOmC +//bEAWBevRWpnlhosfqC86/SDxXTK5rxtd7Gobw+Y+GWc590tdD2vdDyLTMpju4Jro1 BlpvpNX9YOH+fvXapwYD4fiD5yoTIHtSyq3suurvy89rp/92uRgL5O6Etb3nzUb/aZ0Q kX7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717766543; x=1718371343; h=content-transfer-encoding:in-reply-to:autocrypt:from :content-language:references:to:subject:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Kga62AdIa3i2c83SLIMEIEKJV122RIkdB9yYIgmWVy4=; b=cdEr8cGUb7thcMg8vYKVaVZYEdrpDMr6O6oXWbni7l5Q7HA/aH2CZfxl+BAmtDBkxf IbIpQwmpUm0270NCJkJfd7f5VJXRfYMQNtdt8TIcn9F4blRPp3u3j5TYt7tHLKtrt9D4 VcMa4ZvLgWdQG/wl50rSwomWryPfwt68EDO6xXihIGiiY+L44kvDW3CFx8VOU0X03ODf itbD4FHlpUOHMVpaaV/7Ph+oXnxC0wPxYForGix/Y0e79bjlZx2NTwPjivCGrpudQDy2 0V8kvm/zTqQQaAJpAuzhI0ui22TTF9vikfAmumlfie3pdc6lQ744wPunMH7AWY/09P4h aIEg== X-Forwarded-Encrypted: i=1; AJvYcCU2/skZqiO7zTI3ZyFG4gYQcI/mlg1mxoChHKSY4sLpju6PP/rQh1TOTA+AhlZkMbe7FZRdOfL6uDhMC0bz17unTecRu7Qfbl5MrC8SY9krS8UY X-Gm-Message-State: AOJu0Yy/IVvEq45ML8FK3nWD0AI9E4YPy35uTOXkU1D3o1l6KP2JrrSF M6xSX0sz7sHKhJZxwoKNVv9S8L9IaV6GTAHBaUSywO3M/J5d0elBhFI6iewXqDU= X-Google-Smtp-Source: AGHT+IE1oDA4Zc+kDbLqvNiMBZObCRBksppmpryupFQ2EVqlgb1GJEN9rMYa4AqaZJ1uRnYYrEK0SA== X-Received: by 2002:a0d:d8c4:0:b0:618:6aa1:a972 with SMTP id 00721157ae682-62cd5570289mr25974337b3.5.1717766542594; Fri, 07 Jun 2024 06:22:22 -0700 (PDT) Received: from [192.168.4.41] (162-239-31-113.lightspeed.dybhfl.sbcglobal.net. [162.239.31.113]) by smtp.gmail.com with ESMTPSA id 00721157ae682-62ccaeaeaf9sm6664437b3.111.2024.06.07.06.22.22 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 07 Jun 2024 06:22:22 -0700 (PDT) Message-ID: <8c533be4-5ed8-4658-86b6-212fb2d4d1a3@joeconway.com> Date: Fri, 7 Jun 2024 09:22:21 -0400 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: PG16.1 security breach? To: "Zwettler Markus (OIZ)" , "pgsql-general@lists.postgresql.org" References: Content-Language: en-US From: Joe Conway Autocrypt: addr=mail@joeconway.com; keydata= xsFNBEpXMCsBEADDnXUQzjlyi/cX02Gtdy2CLcroE5CsC7DJKdOBDbfgn0kfiIYoV5JniG4l VyzZUodY8yUAagqLYolh0UkBzs9N+qkm7erde4ypw3jzVQ37BuzIvk3nMUbuDZDgxWqX+nVS sKc+BQ5BpzgCHg48leoRO2ohjvYnUhgH3j2rFZCzaj6qQ7mv+XoxOJmUlVQtG06Jwkk7Vu14 7U9nMMM6hyUKzVnmCphnlcMNo26UyVU70MwFfFJgcI0c5fpp8byN56eD6VJVnufO5WAuEhzE qcrSJR2FAlmM90GBY+6vP29twLDCHuSFvrnujNCx/BvCC/a3/gPvyAFp4JtMm9eXAmq3m/Kw 94nTJXVdcbQeQQDp3KIG7MmWS4lnGvPn8v0CjgNaLvZXFLo1FgmUVsyEq1Lww4iRLa6sbpXJ ESx15UEue1k1YZM9C+4F/o3aeKNsAienjw2EXFzcaxIg/C4P493VMi3Qa8ycVxR5iYhUbYdo DFIUQhbFNsYfrtW/qZAELT3FCYFpZYG01e9Hj+cBrXXgyDDkQ5Lq4mlvmkRvuxn61V6Au4HA 0sJiCox5pM1FvzT+aI8HY1BYaiB9Pl4fhpKgmhhlSuglk9v39S4jmlUIb45iLAUVpeNM6Qjm 69pf5da9sm4aGFa7YlDSKf/WcU7z9ITZxsilOi2n7YJiwG7kTQARAQABzSRKb3NlcGggRSBD b253YXkgPG1haWxAam9lY29ud2F5LmNvbT7CwXoEEwEIACQCGwMCHgECF4AFCwkIBwMFFQoJ CAsFFgIDAQAFAlWTVvUCGQEACgkQMyt+aLaZQ0oPCQ/9HyRewMyvAIJRmoXoLAr8AoFLId6R qBJnNX0Lll0RLZui65aQ0+exwX7aH7TxWR16B2gWX3OmLfGT8XITOoG+zt9zsEpLvNkHchkF T/jyAcbuRj5WX9hamZgMbjXAJeCdlhW+fRA9Upb0w4dgBjqK5OgsqMikASL7t2vogHl9H08j vSoQLW+8wTnSBXBeBTBwB7xLIin5WVivzFHUCrnD2UsjeBIW3fmGdpTAjSxRzG+UPYVwXQ8F FLt7DpEytvLWapmZWMRdj0WZ/Q3SOO/Ed0yFqbzuwKaWcFrQBNeS2Sig+FefBNS98f9Hx7ku H3DW34qX/zSSdDh0jLs7X3PkIgF6BZR2TxaCwHPP9ERDiDaUInC9U7We1iZE1DjW8rLMEVJB hY0ClrrF67pnUKTbcU+uajpPn+2Jl74T0Set/XxpHZ4cezcJuqg31R8vHZgd5cf1WKP0D0pc qiuS02BBFkNCs1jQ+raTWcDuE6F1mUO2nvjUBN9r4y5DUbCNSqLKeAe/aA6JaSDkBpoXKdNS +c4rbzbktWkfUW8EhVlCGzNpy4ezEoVsqV2Ex7fNoxsE2vnSylLT9hycAmYf8ryMvniRZqnD T4JgLenIcQlkhB896T7wApOXfD8OJj1/XFxAfPi6vdlsr81uoxuB4euLp8IyduwLORRUogO9 zmAXG5jOwU0ESlcyJwEQAOkTBb9yDhJbMUgvhM11rZwT5tm4Y9TqtEHn0Zy3t9g7bdFFpMva v/KENd3oAtLFpMDf+H3AggFk4ftUwJwiVgJ88ilvCynJUGXiuYIaexY4DLgn4xpnuiEpYEFV dWnlw7dWVTc62exfqIz9bSWRzwfBCY9ruYGEb4RDPDSNSAVyI7sxHzef2asiYxIcxrTrw5Vu gWNlPZcV5/EJ6PUvATjBF2TBkXV7KOciQng2tsQGrGMkY5mduNqwpuh6zfPcVF8LeObe96wv 5ZhPRpO79nef7hnK2lJogp3JIo558Jlbz9WHtQEMZR85+bUhtI825QyNAFz3Jrn7NMgvDikc 2OrWo7YMgMC5hDSWVFqA6/EQCNnDWGABWgeYHZFpnPwsvUWIYdhSilUuj/Tuzvz9ZmucFNbQ bauDQw6VQ38ofGnoYDZFJsGncprB8dBi4tDrIQ+1RlIh6C2Z/eMipqJOT26+spluTjouvnKT 0S5yOgyX0PjbsysgwQdCGNJLHOjhHbSpSmOLaduV3CQo/0+DHT/TBjYfIXjTWouY9TkGxG4e NrxU0u2xAy5bMqOPmsFdjLTWlQUlF/fTMhB54XwI3FHWgnSnXZzStDTmTebLNdT/ftgliAzA 81uMj49j0exv731/v+7udLA1bV8gnZ01zQCASDpWiRQR3fgwcugSUqgRABEBAAHCwV8EGAEI AAkFAkpXMicCGwwACgkQMyt+aLaZQ0pwAQ//bjcWnZg/jjRQ9gbZUGMqniItZYRglBMKIqt4 Fia379JmHwTvavnFkJ8XMZ56UB0FIrgS+sUkRH6cPRQR+7Qi392LD021DXgSsz9CwFHjFyBG HwLEOTRcfYQbtJy0shHDJB4aQTOX3ERDH1PsvJNuevmQMzS0DWFav9+xMz9rKP4N+HffoBIZ E0C1xIE43nD4eLsbycte9sVIrmlNuUti3qUxJAQw8HwfJ6ZbBInHxquApR16uD1u99o6Xlnd FrDlY22tRmHCM0bR81GfGNdcU3Uo+rG/R/k4qa7s9/dgKvMbyH3fHhp/ceKag80Xo8IFurRl 0ZJP3sHJ2QDHCVLat7jRZ+43hi1WlIhFbrgn6IyI0i7XR/W8JjrC5MsKq4TUwGH077sU/kcH YebVJZRbUUst2hAGHDFVBcG12qoKf+ltL9qXJc1y7BGeCoUW6QjOpljpq6ZL4FQUsM0RSRjs 5egE3szPcIf5SyPK6WDOApoAq6M7BBFMGDZwEylYMtr0YekA1u86UA9D2xwLHEbBBp/uiby1 c9JbPJ1Pn8zJP8WZNeRw4Q9TtqVK09+oLirMUSpIDd6KdZ1VgRxOK2re7tjDvkVuYsSrsiJ+ 1iJNEnp9iK0ok0DlJpSCe6KhkxpaTdeoWMXdKuJWec0NIqoAd54ZgBPnr+UPxTixgPq/p6Q= In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 6/7/24 07:04, Zwettler Markus (OIZ) wrote: > I am running the following on Postgres 16.1 in database "postgres" as a > superuser: > create or replace function oiz.f_set_dbowner (p_dbowner text, p_dbname text) > create role testuser with password 'testuser' login; > than this new role is able to execute the function oiz.f_set_dbowner > immediately even I did not grant execute on this function to this role! See: https://www.postgresql.org/docs/current/sql-createfunction.html In particular, this part: 8<------------------------ Another point to keep in mind is that by default, execute privilege is granted to PUBLIC for newly created functions (see Section 5.7 for more information). Frequently you will wish to restrict use of a security definer function to only some users. To do that, you must revoke the default PUBLIC privileges and then grant execute privilege selectively. To avoid having a window where the new function is accessible to all, create it and set the privileges within a single transaction. For example: 8<------------------------ HTH, -- Joe Conway PostgreSQL Contributors Team RDS Open Source Databases Amazon Web Services: https://aws.amazon.com