Re: Insufficient attention to security in contrib (mostly)

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: "Heikki Linnakangas" <heikki(at)enterprisedb(dot)com>
Cc: pgsql-hackers(at)postgreSQL(dot)org
Subject: Re: Insufficient attention to security in contrib (mostly)
Date: 2007-08-28 23:13:59
Message-ID: 15199.1188342839@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

"Heikki Linnakangas" <heikki(at)enterprisedb(dot)com> writes:
> Tom Lane wrote:
>> btreefuncs.c is a security hole a mile wide: it will happily dump the
>> entire data content of an index for you. It's a good thing this hasn't
>> shipped in any release yet. While we could possibly make it look up
>> the index's parent table and check if you have SELECT privilege on
>> that, it'd be easier just to make the functions demand superuser
>> privilege, which is what the rest of the functions in this contrib
>> module require. Comments?

> Oh dear. Those functions were actually just moved from pgstattuple, and
> has been there since 8.2. Better backpatch that to the pgstattuple
> functions in 8.2.

Done, thanks for the heads-up.

> I doubt there's any tools out there using those functions, so
> restricting them to superuser only is probably ok.

If anyone complains, we could probably knock them down to SELECT
privilege, but finding the parent table to apply the select priv check
to seems a bit of a pain for the index cases. So I won't bother unless
someone does complain.

regards, tom lane

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Albert Cervera i Areny 2007-08-28 23:57:07 Contrib modules documentation online
Previous Message Tom Lane 2007-08-28 22:38:16 Re: Insufficient attention to security in contrib (mostly)