| From: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-hackers(at)postgreSQL(dot)org |
| Subject: | Re: ALTER ROLE/DATABASE RESET ALL versus security |
| Date: | 2010-02-19 18:22:22 |
| Message-ID: | 20100219182222.GD5735@alvh.no-ip.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Tom Lane wrote:
> It looks to me like the code in AlterSetting() will allow an ordinary
> user to blow away all settings for himself. Even those that are for
> SUSET variables and were presumably set for him by a superuser. Isn't
> this a security hole? I would expect that an unprivileged user should
> not be able to change such settings, not even to the extent of
> reverting to the installation-wide default.
Yes, it is, but this is not a new hole. This works just fine in 8.4
too:
alvherre=# create role foo;
CREATE ROLE
alvherre=# alter role foo set lc_messages = 'C';
ALTER ROLE
alvherre=# set session AUTHORIZATION foo;
SET
alvherre=> show lc_messages ;
lc_messages
-------------
es_CL.UTF-8
(1 fila)
alvherre=> alter role foo reset all;
ALTER ROLE
alvherre=> reset session AUTHORIZATION ;
RESET
alvherre=# set session AUTHORIZATION foo;
SET
alvherre=> show lc_messages ;
lc_messages
-------------
es_CL.UTF-8
(1 fila)
alvherre=> alter role foo set lc_messages to 'C';
ERROR: se ha denegado el permiso para cambiar la opción «lc_messages»
So any user is able to reset settings that were set for him by the
superuser.
--
Alvaro Herrera http://www.CommandPrompt.com/
PostgreSQL Replication, Consulting, Custom Development, 24x7 support
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2010-02-19 18:30:49 | Re: ALTER ROLE/DATABASE RESET ALL versus security |
| Previous Message | Dimitri Fontaine | 2010-02-19 17:56:12 | Re: Avoiding bad prepared-statement plans. |