AW: [Extern] Re: PG16.1 security breach?

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Zwettler Markus (OIZ) <[email protected]>
To: Joe Conway <[email protected]>
To: [email protected] <[email protected]>
Subject: AW: [Extern] Re: PG16.1 security breach?
Date: Fri, 7 Jun 2024 13:54:23 +0000
Message-ID: <GV0P278MB00993C93868025F89845F58D8BFB2@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <[email protected]>
References: <GV0P278MB00996776669F54A7EADB64688BFB2@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>
	<[email protected]>

> -----Ursprüngliche Nachricht-----
> Von: Joe Conway <[email protected]>
> Gesendet: Freitag, 7. Juni 2024 15:22
> An: Zwettler Markus (OIZ) <[email protected]>; pgsql-
> [email protected]
> Betreff: [Extern] Re: PG16.1 security breach?
> 
> On 6/7/24 07:04, Zwettler Markus (OIZ) wrote:
> > I am running the following on Postgres 16.1 in database "postgres" as
> > a
> > superuser:
> 
> <snip>
> 
> > create or replace function oiz.f_set_dbowner (p_dbowner text, p_dbname
> > text)
> 
> <snip>
> 
> > create role testuser with password 'testuser' login;
> 
> <snip>
> 
> > than this new role is able to execute the function oiz.f_set_dbowner
> > immediately even I did not grant execute on this function to this role!
> 
> See:
> https://www.postgresql.org/docs/current/sql-createfunction.html
> 
> In particular, this part:
> 8<------------------------
> Another point to keep in mind is that by default, execute privilege is granted to
> PUBLIC for newly created functions (see Section 5.7 for more information).
> Frequently you will wish to restrict use of a security definer function to only some
> users. To do that, you must revoke the default PUBLIC privileges and then grant
> execute privilege selectively.
> To avoid having a window where the new function is accessible to all, create it and
> set the privileges within a single transaction. For example:
> 8<------------------------
> 
> HTH,
> 
> --
> Joe Conway
> PostgreSQL Contributors Team
> RDS Open Source Databases
> Amazon Web Services: https://aws.amazon.com
> 
> --- Externe Email: Vorsicht mit Anhängen, Links oder dem Preisgeben von
> Informationen ---


Argh. No! What a bad habit!

Might be good idea for an enhancement request to create a global parameter to disable this habit.

Thanks Markus

view thread (7+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: AW: [Extern] Re: PG16.1 security breach?
  In-Reply-To: <GV0P278MB00993C93868025F89845F58D8BFB2@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox