Re: PG16.1 security breach? - David G. Johnston

public inbox for [email protected]  
help / color / mirror / Atom feed

From: David G. Johnston <[email protected]>
To: Zwettler Markus (OIZ) <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: PG16.1 security breach?
Date: Fri, 7 Jun 2024 07:16:04 -0700
Message-ID: <CAKFQuwZwgXeFNWz2UQvpJUhuhH-mqa+V+3XXCsWRcL6jiW0riQ@mail.gmail.com> (raw)
In-Reply-To: <GV0P278MB00996776669F54A7EADB64688BFB2@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
References: <GV0P278MB00996776669F54A7EADB64688BFB2@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>

On Friday, June 7, 2024, Zwettler Markus (OIZ) <[email protected]>
wrote:

>
> grant usage on schema oiz to public;
>
>
>
> The role is also able to execute the function even I revoke any execute
> privilege explicitly:
>
>
>
> revoke execute on function oiz.f_set_dbowner (p_dbowner text, p_dbname
> text) from testuser;
>
>
You never typed “grant execute … to testuser” nor setup a default privilege
for them, so there is nothing there to revoke.  As was noted, the
combination of your explicit usage grant, and the default execute grant,
given to the public pseudo-role, enables this.

>
>
> There are also no default privileges on the schema:
>
>
You explicitly granted usage to the pseudo-role public…

It is doubtful we’d add a global setting to control this.    And it’s a
hard sell changing such a pervasive default.  As most functions are
security invoker, and many are side-effect free, the default does have
merit.  If your function is neither undoing the default is something that
should probably be done.

I could maybe see adding a new “revoke all default privileges from public”
command.

David J.

view thread (2+ messages)

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: PG16.1 security breach?
  In-Reply-To: <CAKFQuwZwgXeFNWz2UQvpJUhuhH-mqa+V+3XXCsWRcL6jiW0riQ@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox