Received: from localhost (unknown [200.46.204.184]) by developer.postgresql.org (Postfix) with ESMTP id 3B01D2E09A2 for ; Mon, 31 Mar 2008 18:37:13 -0300 (ADT) Received: from developer.postgresql.org ([200.46.204.71]) by localhost (mx1.hub.org [200.46.204.184]) (amavisd-maia, port 10024) with ESMTP id 22043-07 for ; Mon, 31 Mar 2008 18:37:05 -0300 (ADT) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.5 Received: from fk-out-0910.google.com (fk-out-0910.google.com [209.85.128.189]) by developer.postgresql.org (Postfix) with ESMTP id 5A65E2E090E for ; Mon, 31 Mar 2008 18:37:07 -0300 (ADT) Received: by fk-out-0910.google.com with SMTP id b27so2914908fka.3 for ; Mon, 31 Mar 2008 14:37:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:organization:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding:sender; bh=KPQo2R3sSvPLgm7KdOyvPAgEsL+IubNpWGGs1/SRWTs=; b=oKXllcUHFpwhgFkIgR/KWiOi9JgfLu+fi5Agnc/pH1KF0aKhxiqGMh6sybMzp3DgiM1555AQqLeGdBWTl7uDsfsJXVimiQ9BFweUjzr8h2f6QaDdb2HMVfQ39xENvRywvml8ynephz7SdXzz22T5h+Bl1oiFouz86AXiH5a2uJU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=message-id:date:from:organization:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding:sender; b=LBy2C2ZUUPooLDCd7FFHBNrrJKxrHPs0D94m+W8O1GWvEaHu1vleeL+ol2u+G+kutzD6HNC3OD5OymK67OHplJtldafYUF8Qibv1RDom1dCSvZPNsfaR9hCaeH3Sjt5c1vkbKDENXH9l5O4lh88lGwhclccPHf85Qkq2tJQYbXE= Received: by 10.82.170.3 with SMTP id s3mr17004421bue.18.1206999425348; Mon, 31 Mar 2008 14:37:05 -0700 (PDT) Received: from ?192.168.1.34? ( [86.26.48.227]) by mx.google.com with ESMTPS id q9sm4580000gve.7.2008.03.31.14.37.03 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 31 Mar 2008 14:37:04 -0700 (PDT) Message-ID: <47F15976.50007@enterprisedb.com> Date: Mon, 31 Mar 2008 22:36:54 +0100 From: Heikki Linnakangas Organization: EnterpriseDB User-Agent: Mozilla-Thunderbird 2.0.0.9 (X11/20080110) MIME-Version: 1.0 To: Lars Olson CC: pgsql-bugs@postgresql.org Subject: Re: BUG #4074: Using SESSION_USER or CURRENT_USER in a view definition is unsafe References: <200803312055.m2VKtmdb090699@wwwmaster.postgresql.org> In-Reply-To: <200803312055.m2VKtmdb090699@wwwmaster.postgresql.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archive-Number: 200803/359 X-Sequence-Number: 20207 Lars Olson wrote: > Creating a view that depends on the value of SESSION_USER enables a > minimally-privileged user to write a user-defined function that contains a > trojan-horse to get arbitrary data from the base table. Using CURRENT_USER > instead still enables a similar vulnerability. > > To reproduce the problem, create three users, alice (base table owner), bob > (attacker), and carol (other minimally-privileged user). As Alice, create > the following table and view: > ... This seems to be an instance of the general trojan-horse problem discussed here: http://archives.postgresql.org/pgsql-hackers/2008-01/msg00268.php In a nutshell, it's just not safe to access a view or function owned by a user you don't trust. :-( -- Heikki Linnakangas EnterpriseDB http://www.enterprisedb.com