From: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> |
---|---|
To: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
Cc: | "Zwettler Markus (OIZ)" <Markus(dot)Zwettler(at)zuerich(dot)ch>, Joe Conway <mail(at)joeconway(dot)com>, "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
Subject: | Re: PG16.1 security breach? |
Date: | 2024-06-10 09:21:42 |
Message-ID: | 416045c0e7deac5b9f25e5fc89beec2a702a0b4c.camel@cybertec.at |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
On Fri, 2024-06-07 at 07:42 -0700, David G. Johnston wrote:
> On Friday, June 7, 2024, Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> wrote:
> > On Fri, 2024-06-07 at 13:54 +0000, Zwettler Markus (OIZ) wrote:
> > > > Another point to keep in mind is that by default, execute privilege is granted to
> > > > PUBLIC for newly created functions (see Section 5.7 for more information).
> > >
> > > Argh. No! What a bad habit!
> > >
> > > Might be good idea for an enhancement request to create a global parameter to disable this habit.
> >
> > I don't see the problem, since the default execution mode for functions is
> > SECURITY INVOKER.
> >
> > But you can easily change that:
> >
> > ALTER DEFAULT PRIVILEGES FOR ROLE function_creator REVOKE EXECUTE ON FUNCTION FROM PUBLIC;
>
> You named function_creator here when in this example the role creating the new object is postgres.
Then use "postgres" rather than "function_creator".
An ALTER DEFAULT PRIVILEGES statement always only changes default privileges for objects
created by a certain user.
> How is it that the default privilege granted to public doesn’t seem to care who the object creator
> is yet when revoking the grant one supposedly can only do so within the scope of a single role?
I don't understand what you wrote. ALTER DEFAULT PRIVILEGES also only applies to objects
created by a single role when you grant default privileges.
Yours,
Laurenz Albe
From | Date | Subject | |
---|---|---|---|
Next Message | Ian van der Linde | 2024-06-10 11:39:18 | Question regarding automatically paused streaming replication |
Previous Message | Laurenz Albe | 2024-06-10 09:16:29 | Re: Fwd: lost master password |