Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pGAtw-00023d-72 for pgsql-hackers@arkaria.postgresql.org; Fri, 13 Jan 2023 03:38:44 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1pGAtu-0002kv-Vu for pgsql-hackers@arkaria.postgresql.org; Fri, 13 Jan 2023 03:38:42 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pGAtu-0002km-Mo for pgsql-hackers@lists.postgresql.org; Fri, 13 Jan 2023 03:38:42 +0000 Received: from out5-smtp.messagingengine.com ([66.111.4.29]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pGAts-0003YU-L8 for pgsql-hackers@postgresql.org; Fri, 13 Jan 2023 03:38:42 +0000 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 9BE465C0126; Thu, 12 Jan 2023 22:38:39 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Thu, 12 Jan 2023 22:38:39 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=anarazel.de; h= cc:cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm3; t=1673581119; x= 1673667519; bh=BHIEK0I/bfgUC6yA5IfLOmt+PGvqggJMLl14tG885Ns=; b=T TNCB5P+aO9Vbj3DTyqiKqt8+d7XM25d33w1h/TZQHFATyok3aWWPo03+ys+qO2zM 3EfToW5A9PhEPDKHIk2uVZo5D8eAtsoNNCEAloDC3e0sC3w7lQr93ogQflyfUab7 u/ai/A+RtSvtfF0g00UXz+JEu//CO8WzDdOinSg5m1uVfn/GYoHfjjW3e2EwUNIe 9nYd6PmlWvhbnr4L4SR0O08WhKZjwoIRu3HyUikq241V/wUKOPWYPpHmwsiVWotF GMlCPUnRHqMvzJK00AFKR5MAHwPmVQ/EVyLsw5iz/thILvs+D/P8S5YiO9n99F6P iDN8Fucctqn2qDs3Lh29g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1673581119; x= 1673667519; bh=BHIEK0I/bfgUC6yA5IfLOmt+PGvqggJMLl14tG885Ns=; b=Z iWMMHwPbPMDO81KCjiahHjlFn+fEh9X+9ez4KbvBILZdU2PA+JsShpNqs5wE+BPI t8fTCI2VHxvIT0Clq68+jtzm1cbqQHi0tK8SwnS5ufjQx1ZuPVyv/tAFM/uNU8cq nFf1WF3Zj3hxFarCbHouZBT8lmH9thv7D2rq7sM9qXZ0KFMcddxbklhe6hNK+hfb I02c5fdMr2H+N/vaoZz8tN47ppN1twpS+iVNfGgVJBTUPa6BNZDhFvXxvltbPPpv +drza9W6yuHFehETRLhRjzv5v0N9SkhQHB+9qtMgMrP3RMCCZpHFOFlxvqgNtcOR eIH+yJjkybuyYSjkJrK0A== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrleejgdeigecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepfffhvfevuffkfhggtggugfgjsehtke ertddttdejnecuhfhrohhmpeetnhgurhgvshcuhfhrvghunhguuceorghnughrvghssegr nhgrrhgriigvlhdruggvqeenucggtffrrghtthgvrhhnpefhieetgfelveettdffjeevud ejkeejudfgtdevffejledvtdefkeeggfejhffggeenucevlhhushhtvghrufhiiigvpedt necurfgrrhgrmhepmhgrihhlfhhrohhmpegrnhgurhgvshesrghnrghrrgiivghlrdguvg X-ME-Proxy: Feedback-ID: id4a34324:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 12 Jan 2023 22:38:39 -0500 (EST) Date: Thu, 12 Jan 2023 19:38:38 -0800 From: Andres Freund To: Jeff Davis Cc: pgsql-hackers@postgresql.org Subject: Re: Blocking execution of SECURITY INVOKER Message-ID: <20230113033838.hvso6nlm5igsxcem@awork3.anarazel.de> References: <75b0dbb55e9febea54c441efff8012a6d2cb5bd7.camel@j-davis.com> <20230112033355.u5tiyr2bmuoc4jf4@awork3.anarazel.de> <20230113032943.iyxdu7bnxe4cmbld@awork3.anarazel.de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20230113032943.iyxdu7bnxe4cmbld@awork3.anarazel.de> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 2023-01-12 19:29:43 -0800, Andres Freund wrote: > Hi, > > On 2023-01-12 18:40:30 -0800, Jeff Davis wrote: > > On Wed, 2023-01-11 at 19:33 -0800, Andres Freund wrote: > > > > > and the > > > privilege check will be done with the rights of the admin in many of > > > these > > > contexts. > > > > Can you explain? > > If the less-privileged user does *not* have execution rights to a security > definer function, but somehow can trick the more-privileged user into calling > the function for them, e.g. by using it as the default expression of a column, > the less-privileged user can escalate to the permissions of the security > definer function. > > superuser: > # CREATE FUNCTION exec_su(p_sql text) RETURNS text LANGUAGE plpgsql SECURITY DEFINER AS $$BEGIN RAISE NOTICE 'executing %', p_sql; EXECUTE p_sql;RETURN 'p_sql';END;$$; > # REVOKE ALL ON FUNCTION exec_su FROM PUBLIC ; > > unprivileged user: > $ SELECT exec_su('ALTER USER less_privs SUPERUSER'); > ERROR: 42501: permission denied for function exec_su > $ CREATE TABLE trick_superuser(value text default exec_su('ALTER USER less_privs SUPERUSER')); > > superuser: > # INSERT INTO trick_superuser DEFAULT VALUES; > NOTICE: 00000: executing ALTER USER less_privs SUPERUSER > > > This case would *not* be prevented by your proposed GUC, unless I miss > something major. The superuser trusts itself and thus the exec_su() function. Another reason security definer isn't a way to allow safe execution of lesser privileged code: superuser (andres): # CREATE FUNCTION bleat_whoami() RETURNS text LANGUAGE plpgsql SECURITY INVOKER AS $$BEGIN RAISE NOTICE 'whoami: %', current_user;RETURN current_user;END;$$; # REVOKE ALL ON FUNCTION bleat_whoami FROM PUBLIC; unprivileged user: $ CREATE FUNCTION secdef_with_default(foo text = bleat_whoami()) RETURNS text LANGUAGE plpgsql SECURITY DEFINER AS $$BEGIN RETURN 'secdef_with_default';END;$$; $ SELECT secdef_with_default(); ERROR: 42501: permission denied for function bleat_whoami superuser (andres): # SELECT secdef_with_default(); NOTICE: 00000: whoami: andres LOCATION: exec_stmt_raise, pl_exec.c:3893 ┌─────────────────────┐ │ secdef_with_default │ ├─────────────────────┤ │ secdef_with_default │ └─────────────────────┘ (1 row) I.e. the default arguments where evaluated with the invoker's permissions, not the definer's, despite being controlled by the less privileged user. Worsened in this case by the fact that this allowed the less privileged user to call a function they couldn't even call. Greetings, Andres Freund