Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sHW9I-008Wj1-UM
	for pgsql-general@arkaria.postgresql.org; Wed, 12 Jun 2024 22:08:57 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sHW9G-008Kt0-P2
	for pgsql-general@arkaria.postgresql.org; Wed, 12 Jun 2024 22:08:55 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <david.g.johnston@gmail.com>)
	id 1sHW9G-008Kss-DI
	for pgsql-general@lists.postgresql.org; Wed, 12 Jun 2024 22:08:55 +0000
Received: from mail-oo1-xc2e.google.com ([2607:f8b0:4864:20::c2e])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <david.g.johnston@gmail.com>)
	id 1sHW9E-001MGA-Uo
	for pgsql-general@lists.postgresql.org; Wed, 12 Jun 2024 22:08:54 +0000
Received: by mail-oo1-xc2e.google.com with SMTP id 006d021491bc7-5b2e93fddafso181539eaf.0
        for <pgsql-general@lists.postgresql.org>; Wed, 12 Jun 2024 15:08:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1718230131; x=1718834931; darn=lists.postgresql.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=RXYNyvGPFbMS/0gMJwHWlYC+5HDSWQvrAbjlyIwn7KQ=;
        b=NpYse+U2s10+EdEnOJfAXWZ/5SpwMxBYLLaULL8Ux4/ddwYZhDpz/zPX4UGlz6s1mK
         U2JRlRcDkFqAQ7z8DY126wAbG62tcNkLJWjOC9TXm6k+loelaK+/xUTMKThhcIPFljJN
         zkPhfG/xDyki9zE/zOB3qFFMag/i97lqERGuz3zFxSJTQileqUNb20+nlte3I/fRpi6Z
         i367Y6CyLqVZlHYN4kq2cKrzSrO1uGt15MYeFdpW8WCZQOex+2zyYoSbluFQehegggDg
         +AyXrl1kEz3kOwzK8jr+iCt5wgEfq2iVWjK40LVgk2l/qB+xx//wkgsiXp20Fmb1l8h6
         qa9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1718230131; x=1718834931;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=RXYNyvGPFbMS/0gMJwHWlYC+5HDSWQvrAbjlyIwn7KQ=;
        b=Dl0kvjwsLQP1qQ6M5ey3UXMT0GUCgl0Vkynby8CjC08pL30SRrZWeChG0BZFcYvewW
         Z4QtKEqLDTNHT71CWmzu/Jnq29gh28wcsLHsdg4X0t9f4LcHu1NzJlNJmMbJ07GBxD3W
         5Loz0OkqThM85RMf6Ui9C/ZdWiLTCcMosBbs3/aEgbBO6u7h01IgkGewVL2EK8mELtu3
         8/wyYBX8LIZicBHe9CR4TpfJUqBCkhUK59g2Rd9GuZ/HyJ7IF2Fs2hTQBolnvzCe45rg
         Hbu96kVhOXNi8Ess4xlLtFeEj9+1r6eGqBbVgJiBe5HbRblaKCNVe6LMeL9zGgAL0vrM
         YIww==
X-Gm-Message-State: AOJu0YzA3fF7HhRKXpesLnM2pmZabJerzNjWhOtq/pdMsWrqEThX38DS
	zd7jsgyfbeR2X6w+9RUaWQeIGf1a5nsnvIKkTMKAuRbTQcid+3eAEScrCYjRe1CTFu9cB+h2/6C
	75OcaI7nERf709wuuDvq1/k2e7OVcfQ==
X-Google-Smtp-Source: AGHT+IEga3qRWGzd89Cb9SUWUk7Cuxuf+Rr4xSl789ZjLDJbLxywk/evzOhzs3/kBMv5dSI+82kAmUwFG8b+Rga4uvA=
X-Received: by 2002:a05:6820:b02:b0:5ba:8ac1:3a29 with SMTP id
 006d021491bc7-5bcbd9479f6mr511973eaf.1.1718230131115; Wed, 12 Jun 2024
 15:08:51 -0700 (PDT)
MIME-Version: 1.0
References: <GV0P278MB00996776669F54A7EADB64688BFB2@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
 <8c533be4-5ed8-4658-86b6-212fb2d4d1a3@joeconway.com> <GV0P278MB00993C93868025F89845F58D8BFB2@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
 <6d223a4891287cfb08b720103faef2da1b5719f3.camel@cybertec.at>
 <CAKFQuwaMthLY0XFtv44EBwc=nAwJO0_onACZoG0bnj9jvPBA5Q@mail.gmail.com>
 <416045c0e7deac5b9f25e5fc89beec2a702a0b4c.camel@cybertec.at>
 <CAKFQuwbtQzCnXyaRdxeXOqEWszYoQqZiJwdy41X1bH_=cJK-ug@mail.gmail.com> <CANzqJaCZ_+UKf5g5qW8XDzVQO08yhKgJtr-T3vD0SAf5jLF0FA@mail.gmail.com>
In-Reply-To: <CANzqJaCZ_+UKf5g5qW8XDzVQO08yhKgJtr-T3vD0SAf5jLF0FA@mail.gmail.com>
From: "David G. Johnston" <david.g.johnston@gmail.com>
Date: Wed, 12 Jun 2024 15:08:14 -0700
Message-ID: <CAKFQuwZ_ftX30SY4b7=hFW97gJUDnxkLYRw22LdpwDpvLMGgMg@mail.gmail.com>
Subject: Re: PG16.1 security breach?
To: Ron Johnson <ronljohnsonjr@gmail.com>
Cc: "pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
Content-Type: multipart/alternative; boundary="0000000000009b8f95061ab8a08c"
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CAKFQuwZ_ftX30SY4b7%3DhFW97gJUDnxkLYRw22LdpwDpvLMGgMg%40mail.gmail.com>
Precedence: bulk

--0000000000009b8f95061ab8a08c
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Wed, Jun 12, 2024 at 2:37=E2=80=AFPM Ron Johnson <ronljohnsonjr@gmail.co=
m> wrote:

> On Wed, Jun 12, 2024 at 4:36=E2=80=AFPM David G. Johnston <
> david.g.johnston@gmail.com> wrote:
>
>> On Mon, Jun 10, 2024 at 2:21=E2=80=AFAM Laurenz Albe <laurenz.albe@cyber=
tec.at>
>> wrote:
>>
>>> > How is it that the default privilege granted to public doesn=E2=80=99=
t seem to
>>> care who the object creator
>>> > is yet when revoking the grant one supposedly can only do so within
>>> the scope of a single role?
>>>
>>> I don't understand what you wrote.  ALTER DEFAULT PRIVILEGES also only
>>> applies to objects
>>> created by a single role when you grant default privileges.
>>>
>>>
>> I think my point is that a paragraph like the following may be a useful
>> addition:
>>
>> If one wishes to remove the default privilege granted to public to
>> execute all newly created procedures it is necessary to revoke that
>> privilege for every superuser in the system
>>
>
> That seems... excessive.  You can revoke other privs from public (can't
> you?), so why seemingly only do procedures/functions have this difficulty=
.
>
>
Neither domain, language, nor type seem problematic.  Which just leave
connect and temp on databases which indeed have a similar issue but also
the number of roles with createdb is likely significantly fewer than those
with create on schema.

David J.

--0000000000009b8f95061ab8a08c
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><div class=3D"gmail_default" style=3D"fon=
t-family:arial,helvetica,sans-serif"><span style=3D"font-family:Arial,Helve=
tica,sans-serif">On Wed, Jun 12, 2024 at 2:37=E2=80=AFPM Ron Johnson &lt;<a=
 href=3D"mailto:ronljohnsonjr@gmail.com">ronljohnsonjr@gmail.com</a>&gt; wr=
ote:</span><br></div></div><div class=3D"gmail_quote"><blockquote class=3D"=
gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(20=
4,204,204);padding-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr">On Wed, Jun =
12, 2024 at 4:36=E2=80=AFPM David G. Johnston &lt;<a href=3D"mailto:david.g=
.johnston@gmail.com" target=3D"_blank">david.g.johnston@gmail.com</a>&gt; w=
rote:<br></div><div class=3D"gmail_quote"><blockquote class=3D"gmail_quote"=
 style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);p=
adding-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr"><div style=3D"font-famil=
y:arial,helvetica,sans-serif"><span style=3D"font-family:Arial,Helvetica,sa=
ns-serif">On Mon, Jun 10, 2024 at 2:21=E2=80=AFAM Laurenz Albe &lt;<a href=
=3D"mailto:laurenz.albe@cybertec.at" target=3D"_blank">laurenz.albe@cyberte=
c.at</a>&gt; wrote:</span><br></div></div><div class=3D"gmail_quote"><block=
quote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1=
px solid rgb(204,204,204);padding-left:1ex">&gt; How is it that the default=
 privilege granted to public doesn=E2=80=99t seem to care who the object cr=
eator<br>
&gt; is yet when revoking the grant one supposedly can only do so within th=
e scope of a single role?<br>
<br>
I don&#39;t understand what you wrote.=C2=A0 ALTER DEFAULT PRIVILEGES also =
only applies to objects<br>
created by a single role when you grant default privileges.<br><br></blockq=
uote><div><br></div><div style=3D"font-family:arial,helvetica,sans-serif">I=
 think my point is that a paragraph like the following may be a useful addi=
tion:</div><div style=3D"font-family:arial,helvetica,sans-serif"><br></div>=
<div style=3D"font-family:arial,helvetica,sans-serif">If one wishes to remo=
ve the default privilege granted to public to execute all newly created pro=
cedures it is necessary to revoke that privilege for every superuser in the=
 system</div></div></div></blockquote><div><br></div><div>That seems... exc=
essive.=C2=A0 You can revoke other privs from public=C2=A0(can&#39;t you?),=
 so why seemingly only do procedures/functions have this difficulty.</div><=
div><br></div></div></div></blockquote><div><br></div><div class=3D"gmail_d=
efault" style=3D"font-family:arial,helvetica,sans-serif">Neither domain, la=
nguage, nor type seem problematic.=C2=A0 Which just leave connect and temp =
on databases which indeed have a similar issue but also the number of roles=
 with createdb is likely=C2=A0significantly fewer than those with create on=
 schema.</div><div class=3D"gmail_default" style=3D"font-family:arial,helve=
tica,sans-serif"><br></div><div class=3D"gmail_default" style=3D"font-famil=
y:arial,helvetica,sans-serif">David J.</div><div class=3D"gmail_default" st=
yle=3D"font-family:arial,helvetica,sans-serif"><br></div></div></div>

--0000000000009b8f95061ab8a08c--