Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sHj71-00AMK0-Lo for pgsql-general@arkaria.postgresql.org; Thu, 13 Jun 2024 11:59:27 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sHj6z-000MyR-4x for pgsql-general@arkaria.postgresql.org; Thu, 13 Jun 2024 11:59:26 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sHj6y-000MyG-Fe for pgsql-general@lists.postgresql.org; Thu, 13 Jun 2024 11:59:25 +0000 Received: from mail-yw1-x1136.google.com ([2607:f8b0:4864:20::1136]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sHj6w-0017E4-Fm for pgsql-general@lists.postgresql.org; Thu, 13 Jun 2024 11:59:24 +0000 Received: by mail-yw1-x1136.google.com with SMTP id 00721157ae682-630640c1e14so12744977b3.1 for ; Thu, 13 Jun 2024 04:59:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joeconway.com; s=google; t=1718279961; x=1718884761; darn=lists.postgresql.org; h=content-transfer-encoding:in-reply-to:autocrypt:from :content-language:references:cc:to:subject:user-agent:mime-version :date:message-id:from:to:cc:subject:date:message-id:reply-to; bh=4tQlmLpJyM+NTdhaQ5Mt5sTYX+PDg+X3maIcjhXm/tE=; b=PzpmBB6/vUSa23WDbVciZQdLmWzLCnQdS7vpOBsBfxUh1IeZmLj2IQbLatSj/OEPNx 2tm+jxNrd5GejWndh9+BOQikqnhIIWa1T0J4F5uP9wuMfZefho+eIiFmHo1mGoJnjk7r eMrC07ZLwN8anO5o/NznJWTNuYKzilLZh2j31fAIK/JrUCfvPm4bHsF1Nd1Z0aOt03PF WgjzvVlMarRkNo0Iy9tTMWN7mVIGIbigCzZzeemmR+Kd/hPnff+TVMV+MY6hL/I3syUO WaPyghN0iEACo692iERwbSN56Hpnsdfifr8FUb2EedlAI6JGDhNDq8a7uSzxtRsRNF68 R33w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718279961; x=1718884761; h=content-transfer-encoding:in-reply-to:autocrypt:from :content-language:references:cc:to:subject:user-agent:mime-version :date:message-id:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=4tQlmLpJyM+NTdhaQ5Mt5sTYX+PDg+X3maIcjhXm/tE=; b=fO3aiKvvD5XCpcASmyPVbyFnK7uvhLt+tf+hQOdnoiVB6BDHDc100zlTrzoZw0TVij laBHNq17Rx5+YrmZa2W1PIkaP/cRaEP1+o3twrM60cATHaYBNUmURp5+d1iS8zoG3kAb zdHdiPIzz4wPDAZV9ofjIWgSWhxXcRx0CASyq9WydxK2udm4DzL+emttY4ii9PcMixSU CLGuA4BhgZNEL8LhIsk/AMbbE+GNE1PfVKTSf7zFwDaNUN3UoPBVo2cX5rkEHOxQlHL0 rrUMEAjJWwCrvfe/b7WfHnOxBe1EUj81yr0Wm23lD6X+9p61UqCu2p7v/6nElY1Pq0kY MCag== X-Gm-Message-State: AOJu0Yywmg4iMqr4CY6+uXyYbAxDPtUk5zxcf5MwfAVD1aqqwR6i0Xfs 5YF8RZtIDuToh6mIgLBkMM8PzU3ck71TgS7xzWUBiLKiiNTQV0AyIaRU7YvXF1A= X-Google-Smtp-Source: AGHT+IHR6M5tM/4qmcfeVxA8VF+qBDsFbw96inNAj0NFtgoh2YxUDpyk6uPdmO6YsoEXjlo6NvVMNg== X-Received: by 2002:a81:e606:0:b0:62f:7ba7:d5a4 with SMTP id 00721157ae682-62fbbcf42edmr48421187b3.16.1718279961246; Thu, 13 Jun 2024 04:59:21 -0700 (PDT) Received: from [192.168.4.41] (162-239-31-113.lightspeed.dybhfl.sbcglobal.net. [162.239.31.113]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6311ae133a0sm1471927b3.130.2024.06.13.04.59.20 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 13 Jun 2024 04:59:21 -0700 (PDT) Message-ID: <998b0cf7-d2f1-407a-965c-211cfc89ad47@joeconway.com> Date: Thu, 13 Jun 2024 07:59:20 -0400 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: PG16.1 security breach? To: Tom Lane , Ron Johnson Cc: "pgsql-general@lists.postgresql.org" References: <8c533be4-5ed8-4658-86b6-212fb2d4d1a3@joeconway.com> <6d223a4891287cfb08b720103faef2da1b5719f3.camel@cybertec.at> <416045c0e7deac5b9f25e5fc89beec2a702a0b4c.camel@cybertec.at> <1691575.1718233014@sss.pgh.pa.us> Content-Language: en-US From: Joe Conway Autocrypt: addr=mail@joeconway.com; keydata= xsFNBEpXMCsBEADDnXUQzjlyi/cX02Gtdy2CLcroE5CsC7DJKdOBDbfgn0kfiIYoV5JniG4l VyzZUodY8yUAagqLYolh0UkBzs9N+qkm7erde4ypw3jzVQ37BuzIvk3nMUbuDZDgxWqX+nVS sKc+BQ5BpzgCHg48leoRO2ohjvYnUhgH3j2rFZCzaj6qQ7mv+XoxOJmUlVQtG06Jwkk7Vu14 7U9nMMM6hyUKzVnmCphnlcMNo26UyVU70MwFfFJgcI0c5fpp8byN56eD6VJVnufO5WAuEhzE qcrSJR2FAlmM90GBY+6vP29twLDCHuSFvrnujNCx/BvCC/a3/gPvyAFp4JtMm9eXAmq3m/Kw 94nTJXVdcbQeQQDp3KIG7MmWS4lnGvPn8v0CjgNaLvZXFLo1FgmUVsyEq1Lww4iRLa6sbpXJ ESx15UEue1k1YZM9C+4F/o3aeKNsAienjw2EXFzcaxIg/C4P493VMi3Qa8ycVxR5iYhUbYdo DFIUQhbFNsYfrtW/qZAELT3FCYFpZYG01e9Hj+cBrXXgyDDkQ5Lq4mlvmkRvuxn61V6Au4HA 0sJiCox5pM1FvzT+aI8HY1BYaiB9Pl4fhpKgmhhlSuglk9v39S4jmlUIb45iLAUVpeNM6Qjm 69pf5da9sm4aGFa7YlDSKf/WcU7z9ITZxsilOi2n7YJiwG7kTQARAQABzSRKb3NlcGggRSBD b253YXkgPG1haWxAam9lY29ud2F5LmNvbT7CwXoEEwEIACQCGwMCHgECF4AFCwkIBwMFFQoJ CAsFFgIDAQAFAlWTVvUCGQEACgkQMyt+aLaZQ0oPCQ/9HyRewMyvAIJRmoXoLAr8AoFLId6R qBJnNX0Lll0RLZui65aQ0+exwX7aH7TxWR16B2gWX3OmLfGT8XITOoG+zt9zsEpLvNkHchkF T/jyAcbuRj5WX9hamZgMbjXAJeCdlhW+fRA9Upb0w4dgBjqK5OgsqMikASL7t2vogHl9H08j vSoQLW+8wTnSBXBeBTBwB7xLIin5WVivzFHUCrnD2UsjeBIW3fmGdpTAjSxRzG+UPYVwXQ8F FLt7DpEytvLWapmZWMRdj0WZ/Q3SOO/Ed0yFqbzuwKaWcFrQBNeS2Sig+FefBNS98f9Hx7ku H3DW34qX/zSSdDh0jLs7X3PkIgF6BZR2TxaCwHPP9ERDiDaUInC9U7We1iZE1DjW8rLMEVJB hY0ClrrF67pnUKTbcU+uajpPn+2Jl74T0Set/XxpHZ4cezcJuqg31R8vHZgd5cf1WKP0D0pc qiuS02BBFkNCs1jQ+raTWcDuE6F1mUO2nvjUBN9r4y5DUbCNSqLKeAe/aA6JaSDkBpoXKdNS +c4rbzbktWkfUW8EhVlCGzNpy4ezEoVsqV2Ex7fNoxsE2vnSylLT9hycAmYf8ryMvniRZqnD T4JgLenIcQlkhB896T7wApOXfD8OJj1/XFxAfPi6vdlsr81uoxuB4euLp8IyduwLORRUogO9 zmAXG5jOwU0ESlcyJwEQAOkTBb9yDhJbMUgvhM11rZwT5tm4Y9TqtEHn0Zy3t9g7bdFFpMva v/KENd3oAtLFpMDf+H3AggFk4ftUwJwiVgJ88ilvCynJUGXiuYIaexY4DLgn4xpnuiEpYEFV dWnlw7dWVTc62exfqIz9bSWRzwfBCY9ruYGEb4RDPDSNSAVyI7sxHzef2asiYxIcxrTrw5Vu gWNlPZcV5/EJ6PUvATjBF2TBkXV7KOciQng2tsQGrGMkY5mduNqwpuh6zfPcVF8LeObe96wv 5ZhPRpO79nef7hnK2lJogp3JIo558Jlbz9WHtQEMZR85+bUhtI825QyNAFz3Jrn7NMgvDikc 2OrWo7YMgMC5hDSWVFqA6/EQCNnDWGABWgeYHZFpnPwsvUWIYdhSilUuj/Tuzvz9ZmucFNbQ bauDQw6VQ38ofGnoYDZFJsGncprB8dBi4tDrIQ+1RlIh6C2Z/eMipqJOT26+spluTjouvnKT 0S5yOgyX0PjbsysgwQdCGNJLHOjhHbSpSmOLaduV3CQo/0+DHT/TBjYfIXjTWouY9TkGxG4e NrxU0u2xAy5bMqOPmsFdjLTWlQUlF/fTMhB54XwI3FHWgnSnXZzStDTmTebLNdT/ftgliAzA 81uMj49j0exv731/v+7udLA1bV8gnZ01zQCASDpWiRQR3fgwcugSUqgRABEBAAHCwV8EGAEI AAkFAkpXMicCGwwACgkQMyt+aLaZQ0pwAQ//bjcWnZg/jjRQ9gbZUGMqniItZYRglBMKIqt4 Fia379JmHwTvavnFkJ8XMZ56UB0FIrgS+sUkRH6cPRQR+7Qi392LD021DXgSsz9CwFHjFyBG HwLEOTRcfYQbtJy0shHDJB4aQTOX3ERDH1PsvJNuevmQMzS0DWFav9+xMz9rKP4N+HffoBIZ E0C1xIE43nD4eLsbycte9sVIrmlNuUti3qUxJAQw8HwfJ6ZbBInHxquApR16uD1u99o6Xlnd FrDlY22tRmHCM0bR81GfGNdcU3Uo+rG/R/k4qa7s9/dgKvMbyH3fHhp/ceKag80Xo8IFurRl 0ZJP3sHJ2QDHCVLat7jRZ+43hi1WlIhFbrgn6IyI0i7XR/W8JjrC5MsKq4TUwGH077sU/kcH YebVJZRbUUst2hAGHDFVBcG12qoKf+ltL9qXJc1y7BGeCoUW6QjOpljpq6ZL4FQUsM0RSRjs 5egE3szPcIf5SyPK6WDOApoAq6M7BBFMGDZwEylYMtr0YekA1u86UA9D2xwLHEbBBp/uiby1 c9JbPJ1Pn8zJP8WZNeRw4Q9TtqVK09+oLirMUSpIDd6KdZ1VgRxOK2re7tjDvkVuYsSrsiJ+ 1iJNEnp9iK0ok0DlJpSCe6KhkxpaTdeoWMXdKuJWec0NIqoAd54ZgBPnr+UPxTixgPq/p6Q= In-Reply-To: <1691575.1718233014@sss.pgh.pa.us> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 6/12/24 18:56, Tom Lane wrote: > Ron Johnson writes: >> On Wed, Jun 12, 2024 at 4:36 PM David G. Johnston < >> david.g.johnston@gmail.com> wrote: >>> I think my point is that a paragraph like the following may be a useful >>> addition: >>> >>> If one wishes to remove the default privilege granted to public to execute >>> all newly created procedures it is necessary to revoke that privilege for >>> every superuser in the system > >> That seems... excessive. > > More to the point, it's wrong. Superusers have every privilege there > is "ex officio"; we don't even bother to look at the catalog entries > when considering a privilege check for a superuser. Revoking their > privileges will accomplish nothing, and it does nothing about the > actual source of the problem (the default grant to PUBLIC) either. > > What I'd do if I didn't like this policy is some variant of > > ALTER DEFAULT PRIVILEGES IN SCHEMA public > REVOKE EXECUTE ON FUNCTIONS FROM PUBLIC; In a past blog[1] I opined that this cleans up the default security posture fairly completely: 8<---------------------- REVOKE CREATE ON SCHEMA public FROM PUBLIC; REVOKE EXECUTE ON ALL ROUTINES IN SCHEMA public FROM PUBLIC; ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE EXECUTE ON ROUTINES FROM PUBLIC; -- And/or possibly, more drastic options: -- REVOKE USAGE ON SCHEMA public FROM PUBLIC; -- DROP SCHEMA public CASCADE; REVOKE TEMPORARY ON DATABASE FROM PUBLIC; REVOKE USAGE ON LANGUAGE sql, plpgsql FROM PUBLIC; 8<---------------------- > Repeat for each schema that you think might be publicly readable > (which is only public by default). indeed > BTW, in PG 15 and up, the public schema is not writable by > default, which attacks basically the same problem from a different > direction. also a good point [1] https://www.crunchydata.com/blog/postgresql-defaults-and-impact-on-security-part-2 -- Joe Conway PostgreSQL Contributors Team RDS Open Source Databases Amazon Web Services: https://aws.amazon.com