Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sFani-003lXM-LQ for pgsql-general@arkaria.postgresql.org; Fri, 07 Jun 2024 14:42:43 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sFanh-00Ccyl-2t for pgsql-general@arkaria.postgresql.org; Fri, 07 Jun 2024 14:42:41 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sFang-00Ccyd-Nq for pgsql-general@lists.postgresql.org; Fri, 07 Jun 2024 14:42:41 +0000 Received: from mail-oo1-xc2d.google.com ([2607:f8b0:4864:20::c2d]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sFana-000TXM-2A for pgsql-general@lists.postgresql.org; Fri, 07 Jun 2024 14:42:41 +0000 Received: by mail-oo1-xc2d.google.com with SMTP id 006d021491bc7-5babfde1c04so257598eaf.2 for ; Fri, 07 Jun 2024 07:42:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1717771352; x=1718376152; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ZNqEd3lFhLdKPI1BV7XA/gfIIsQzi85FXlAh+KZmxEQ=; b=RX/3UkVN+aiCtNVrDktgEXjUAIDlIyuyWCJh3vUmOAnO4DRiLktmjUBy/UfJiAySxD ve4a7bm5NSL3TY9nOSKIlzmy0Pf+hZmg2KATuvVgmZxKC2oD0bGhEtwbPGfUDs35VBS3 CGOftpDL5C4HtnkyvWR4h6L9vRA5nOhg1g7SeDEr52BKfARcsJnyJetj15O6UFqqjRnK 2Ztdbi1DIV4vs25B3racF7KOirkckzftjY79h8YcU35XGeYUJTt/pRtE+a5iHy8bWgUz IRzOXAtmfdSFhCWWpzU3+9o2wpuqp0cCg+fOu/TtH4P7ZTHADfz6KNOKgb8vNNIbeOzJ 5wpw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717771352; x=1718376152; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ZNqEd3lFhLdKPI1BV7XA/gfIIsQzi85FXlAh+KZmxEQ=; b=Guy/7RJif16ir5JqMfbrGQPreoyEn8cYfF21YrzZvtsw7uU2BwS+lb3QyiXpFy6Add 2ae6vnEye7WUXPXowOvobpfL8gUtQwwpj5zT06zI7ZMETUIY48a35IeKe1nd/nd+Y+kp JsrgVnl5PBPo/rG1lSYkgc9Y85sWQPrLh3L4mqUzxBzJiaG8Ih3+OQvx6/a1vCaEpPHQ ZAURNDqAiP/n8DrTKucO5esoDu8NUeOKi3v/GLKF6S+zEkRwoK5QQZWilbnsMp1QtiqA vxC1NTl5oJwyxHlC7aeMIS5QPoXRY1ODAVApCjWBBdgslpWIE2mF0iVBb2Z4tLWLeske eDmw== X-Forwarded-Encrypted: i=1; AJvYcCXLeIK7iq9cqHGKZJIsjYJACryAuuu0aDCggkZS6M9kV8N8xMk+8Eu5mdksIocgAOHu1oSlc6tUNRz7lIJNexPJGwSN+52qHt0ReVmlqPDBF8tM X-Gm-Message-State: AOJu0YwXUcZlB47ibyYYmxedjN+MlKge/WJEp8zrI86+g1+c7s2ZSsAK bqCGc24cIseQ+WWMWc5Bi9n5siC2Qt9Jk8gz9R8R+6qHSH9nuIEmZ/c6YqgJfJjZm9+MRw97ack TM6aUmykOPnw8XkWXUsMlgtYz1ca9Wg== X-Google-Smtp-Source: AGHT+IHiNwbdnpQ0QS3oGs/Z6FohcLS9lp9ryk6+vKzKfvLo1W9amWRO0hdQyf38OMGwmwQ52NWIG9EjQixKPjtvpSE= X-Received: by 2002:a05:6820:221b:b0:5b9:f802:ba3e with SMTP id 006d021491bc7-5baae7304famr1676692eaf.4.1717771352062; Fri, 07 Jun 2024 07:42:32 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a05:6802:387:b0:530:392d:d678 with HTTP; Fri, 7 Jun 2024 07:42:31 -0700 (PDT) In-Reply-To: <6d223a4891287cfb08b720103faef2da1b5719f3.camel@cybertec.at> References: <8c533be4-5ed8-4658-86b6-212fb2d4d1a3@joeconway.com> <6d223a4891287cfb08b720103faef2da1b5719f3.camel@cybertec.at> From: "David G. Johnston" Date: Fri, 7 Jun 2024 07:42:31 -0700 Message-ID: Subject: PG16.1 security breach? To: Laurenz Albe Cc: "Zwettler Markus (OIZ)" , Joe Conway , "pgsql-general@lists.postgresql.org" Content-Type: multipart/alternative; boundary="0000000000003ec99c061a4dcf78" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --0000000000003ec99c061a4dcf78 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Friday, June 7, 2024, Laurenz Albe wrote: > On Fri, 2024-06-07 at 13:54 +0000, Zwettler Markus (OIZ) wrote: > > > Another point to keep in mind is that by default, execute privilege i= s > granted to > > > PUBLIC for newly created functions (see Section 5.7 for more > information). > > > > Argh. No! What a bad habit! > > > > Might be good idea for an enhancement request to create a global > parameter to disable this habit. > > I don't see the problem, since the default execution mode for functions i= s > SECURITY INVOKER. > > But you can easily change that: > > ALTER DEFAULT PRIVILEGES FOR ROLE function_creator REVOKE EXECUTE ON > FUNCTION FROM PUBLIC; > You named function_creator here when in this example the role creating the new object is postgres. How is it that the default privilege granted to public doesn=E2=80=99t seem to care who the object creator is yet when revo= king the grant one supposedly can only do so within the scope of a single role? David J. --0000000000003ec99c061a4dcf78 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Friday, June 7, 2024, Laurenz Albe <laurenz.albe@cybertec.at> wrote:
On Fri, 2024-06-07 at 13:54 +0000, Zwettler Mar= kus (OIZ) wrote:
> > Another point to keep in mind is that by default, execute privile= ge is granted to
> > PUBLIC for newly created functions (see Section 5.7 for more info= rmation).
>
> Argh. No! What a bad habit!
>
> Might be good idea for an enhancement request to create a global param= eter to disable this habit.

I don't see the problem, since the default execution mode for functions= is
SECURITY INVOKER.

But you can easily change that:

=C2=A0 ALTER DEFAULT PRIVILEGES FOR ROLE function_creator REVOKE EXECUTE ON= FUNCTION FROM PUBLIC;


You named function_creator = here when in this example the role creating the new object is postgres.=C2= =A0 How is it that the default privilege granted to public doesn=E2=80=99t = seem to care who the object creator is yet when revoking the grant one supp= osedly can only do so within the scope of a single role?

David J.

--0000000000003ec99c061a4dcf78--