MIME-Version: 1.0
References: <GV0P278MB00996776669F54A7EADB64688BFB2@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
 <8c533be4-5ed8-4658-86b6-212fb2d4d1a3@joeconway.com> <GV0P278MB00993C93868025F89845F58D8BFB2@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
 <6d223a4891287cfb08b720103faef2da1b5719f3.camel@cybertec.at>
 <CAKFQuwaMthLY0XFtv44EBwc=nAwJO0_onACZoG0bnj9jvPBA5Q@mail.gmail.com> <416045c0e7deac5b9f25e5fc89beec2a702a0b4c.camel@cybertec.at>
In-Reply-To: <416045c0e7deac5b9f25e5fc89beec2a702a0b4c.camel@cybertec.at>
From: "David G. Johnston" <david.g.johnston@gmail.com>
Date: Wed, 12 Jun 2024 13:35:21 -0700
Message-ID: <CAKFQuwbtQzCnXyaRdxeXOqEWszYoQqZiJwdy41X1bH_=cJK-ug@mail.gmail.com>
Subject: Re: PG16.1 security breach?
To: Laurenz Albe <laurenz.albe@cybertec.at>
Cc: "Zwettler Markus (OIZ)" <Markus.Zwettler@zuerich.ch>, Joe Conway <mail@joeconway.com>, 
	"pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
Content-Type: multipart/alternative; boundary="0000000000006f8b13061ab754c9"
Archived-At: <https://www.postgresql.org/message-id/CAKFQuwbtQzCnXyaRdxeXOqEWszYoQqZiJwdy41X1bH_%3DcJK-ug%40mail.gmail.com>
Precedence: bulk

--0000000000006f8b13061ab754c9
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Mon, Jun 10, 2024 at 2:21=E2=80=AFAM Laurenz Albe <laurenz.albe@cybertec=
.at>
wrote:

> > How is it that the default privilege granted to public doesn=E2=80=99t =
seem to
> care who the object creator
> > is yet when revoking the grant one supposedly can only do so within the
> scope of a single role?
>
> I don't understand what you wrote.  ALTER DEFAULT PRIVILEGES also only
> applies to objects
> created by a single role when you grant default privileges.
>
>
I think my point is that a paragraph like the following may be a useful
addition:

If one wishes to remove the default privilege granted to public to execute
all newly created procedures it is necessary to revoke that privilege for
every superuser in the system as well as any roles that directly have
create permission on a schema and also those that inherit a create
permission on a schema.  Lastly, any new roles created in the future with
direct or indirect create permission on a schema must also be altered.  In
other words, the first time a role creates a routine the default privileges
involved with that creation will including granting execute to public,
unless said default privileges have already been revoked.

Maybe generalized to any of the default privileges.  I find the existing
wording to gloss over the fact that one cannot just decide up front they
want to not allow these default privileges to public once on a system-wide
basis but must continually maintain the default privileges as new roles are
added that are allowed to create different objects, directly or otherwise.

David J.

--0000000000006f8b13061ab754c9
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><div class=3D"gmail_default" style=3D"fon=
t-family:arial,helvetica,sans-serif"><span style=3D"font-family:Arial,Helve=
tica,sans-serif">On Mon, Jun 10, 2024 at 2:21=E2=80=AFAM Laurenz Albe &lt;<=
a href=3D"mailto:laurenz.albe@cybertec.at">laurenz.albe@cybertec.at</a>&gt;=
 wrote:</span><br></div></div><div class=3D"gmail_quote"><blockquote class=
=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rg=
b(204,204,204);padding-left:1ex">&gt; How is it that the default privilege =
granted to public doesn=E2=80=99t seem to care who the object creator<br>
&gt; is yet when revoking the grant one supposedly can only do so within th=
e scope of a single role?<br>
<br>
I don&#39;t understand what you wrote.=C2=A0 ALTER DEFAULT PRIVILEGES also =
only applies to objects<br>
created by a single role when you grant default privileges.<br><br></blockq=
uote><div><br></div><div class=3D"gmail_default" style=3D"font-family:arial=
,helvetica,sans-serif">I think my point is that a paragraph like the follow=
ing may be a useful addition:</div><div class=3D"gmail_default" style=3D"fo=
nt-family:arial,helvetica,sans-serif"><br></div><div class=3D"gmail_default=
" style=3D"font-family:arial,helvetica,sans-serif">If one wishes to remove =
the default privilege granted to public to execute all newly created proced=
ures it is necessary to revoke that privilege for every superuser in the sy=
stem as well as any roles that directly have create permission on a schema =
and also those that inherit a create permission on a schema.=C2=A0 Lastly, =
any new roles created in the future with direct or indirect create permissi=
on on a schema must also be altered.=C2=A0 In other words, the first time a=
 role creates a routine the default privileges involved with that creation =
will including granting execute to public, unless said default privileges h=
ave already been revoked.</div><div class=3D"gmail_default" style=3D"font-f=
amily:arial,helvetica,sans-serif"><br></div><div class=3D"gmail_default" st=
yle=3D"font-family:arial,helvetica,sans-serif">Maybe generalized to any of =
the default privileges.=C2=A0 I find the existing wording to gloss over the=
 fact that one cannot just decide up front they want to not allow these def=
ault privileges to public=C2=A0once on a system-wide basis but must continu=
ally maintain the default privileges as new roles are added that are allowe=
d to create different objects, directly or otherwise.</div><div class=3D"gm=
ail_default" style=3D"font-family:arial,helvetica,sans-serif"><br></div><di=
v class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif">=
David J.</div><div class=3D"gmail_default" style=3D"font-family:arial,helve=
tica,sans-serif"><br></div><div class=3D"gmail_default" style=3D"font-famil=
y:arial,helvetica,sans-serif"><br></div><div class=3D"gmail_default" style=
=3D"font-family:arial,helvetica,sans-serif"><br></div></div></div>

--0000000000006f8b13061ab754c9--