| From: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Jeff Davis <pgsql(at)j-davis(dot)com>, Pg Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: lowering privs in SECURITY DEFINER function |
| Date: | 2011-04-11 20:13:52 |
| Message-ID: | 1302552756-sup-7075@alvh.no-ip.org |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Excerpts from Robert Haas's message of dom abr 10 13:37:46 -0300 2011:
> It's maybe worth noting here that what's being asked for is roughly
> what you get from UNIX's distinction between euid and ruid. Many
> programs that run setuid root perform a few operations that require
> root privileges up front, and then drop privs. To what degree that
> model applies in an SQL environment I'm not sure, but it might be
> worth looking at some of the parallels, as well as some of the ways
> that the UNIX mechanism has managed to cause all sorts of privilege
> escalation bugs over the years, to make sure we don't repeat those
> mistakes.
Thanks for mentioning that. It made me recall a couple of articles I
read some time ago,
http://lwn.net/Articles/416494/
and
http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html
--
Álvaro Herrera <alvherre(at)commandprompt(dot)com>
The PostgreSQL Company - Command Prompt, Inc.
PostgreSQL Replication, Consulting, Custom Development, 24x7 support
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2011-04-11 20:16:25 | Re: Windows build issues |
| Previous Message | Jesper Krogh | 2011-04-11 20:07:33 | Re: Locking when concurrent updated of foreign references |