Re: BUG #18387: Erroneous permission checks and/or misleading error messages with refresh materialized view

From: Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at>
To: Maxim Boguk <maxim(dot)boguk(at)gmail(dot)com>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi>
Cc: pgsql-bugs(at)lists(dot)postgresql(dot)org
Subject: Re: BUG #18387: Erroneous permission checks and/or misleading error messages with refresh materialized view
Date: 2024-03-12 12:22:33
Message-ID: 09970dbb6f95a34d9427c32b09517ea709c77d02.camel@cybertec.at
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

On Tue, 2024-03-12 at 12:40 +0200, Maxim Boguk wrote:
> May I suggest a change to always allow superuser run
> REFRESH MATERIALIZED VIEW (may be via set role or similar mechanics)?

If the query ran with superuser permissions, that would be
a security problem:

CREATE TABLE log (t text);

CREATE FUNCTION f() RETURNS integer LANGUAGE sql
AS 'INSERT INTO log VALUES (''x''); SELECT 42';

CREATE MATERIALIZED VIEW v AS SELECT f();

Now imagine you create a malicious trigger on "log" and
get a superuser to refresh the materialized view.

I don't see why it should be a problem if a superuser gets
"permission denied" in such a case. They can also get it if
they call a SECURITY DEFINER function owned by a non-superuser.

Yours,
Laurenz Albe

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Wetmore, Matthew (CTR) 2024-03-12 13:51:46 BUG #18387: Erroneous permission checks and/or misleading error messages with refresh materialized view
Previous Message Maxim Boguk 2024-03-12 10:40:31 Re: BUG #18387: Erroneous permission checks and/or misleading error messages with refresh materialized view