public inbox for [email protected]
help / color / mirror / Atom feedFrom: Joe Conway <[email protected]>
To: Tom Lane <[email protected]>
To: Ron Johnson <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: PG16.1 security breach?
Date: Thu, 13 Jun 2024 07:59:20 -0400
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <GV0P278MB00996776669F54A7EADB64688BFB2@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
<[email protected]>
<GV0P278MB00993C93868025F89845F58D8BFB2@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
<[email protected]>
<CAKFQuwaMthLY0XFtv44EBwc=nAwJO0_onACZoG0bnj9jvPBA5Q@mail.gmail.com>
<[email protected]>
<CAKFQuwbtQzCnXyaRdxeXOqEWszYoQqZiJwdy41X1bH_=cJK-ug@mail.gmail.com>
<CANzqJaCZ_+UKf5g5qW8XDzVQO08yhKgJtr-T3vD0SAf5jLF0FA@mail.gmail.com>
<[email protected]>
On 6/12/24 18:56, Tom Lane wrote:
> Ron Johnson <[email protected]> writes:
>> On Wed, Jun 12, 2024 at 4:36 PM David G. Johnston <
>> [email protected]> wrote:
>>> I think my point is that a paragraph like the following may be a useful
>>> addition:
>>>
>>> If one wishes to remove the default privilege granted to public to execute
>>> all newly created procedures it is necessary to revoke that privilege for
>>> every superuser in the system
>
>> That seems... excessive.
>
> More to the point, it's wrong. Superusers have every privilege there
> is "ex officio"; we don't even bother to look at the catalog entries
> when considering a privilege check for a superuser. Revoking their
> privileges will accomplish nothing, and it does nothing about the
> actual source of the problem (the default grant to PUBLIC) either.
>
> What I'd do if I didn't like this policy is some variant of
>
> ALTER DEFAULT PRIVILEGES IN SCHEMA public
> REVOKE EXECUTE ON FUNCTIONS FROM PUBLIC;
In a past blog[1] I opined that this cleans up the default security
posture fairly completely:
8<----------------------
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
REVOKE EXECUTE ON ALL ROUTINES IN SCHEMA public FROM PUBLIC;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
REVOKE EXECUTE ON ROUTINES FROM PUBLIC;
-- And/or possibly, more drastic options:
-- REVOKE USAGE ON SCHEMA public FROM PUBLIC;
-- DROP SCHEMA public CASCADE;
REVOKE TEMPORARY ON DATABASE <your_db> FROM PUBLIC;
REVOKE USAGE ON LANGUAGE sql, plpgsql FROM PUBLIC;
8<----------------------
> Repeat for each schema that you think might be publicly readable
> (which is only public by default).
indeed
> BTW, in PG 15 and up, the public schema is not writable by
> default, which attacks basically the same problem from a different
> direction.
also a good point
[1]
https://www.crunchydata.com/blog/postgresql-defaults-and-impact-on-security-part-2
--
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com
view thread (5+ messages)
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected]
Subject: Re: PG16.1 security breach?
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox