| From: | Andrew Gierth <andrew(at)tao11(dot)riddles(dot)org(dot)uk> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: [Pljava-dev] Should creating a new base type require superuser status? |
| Date: | 2008-08-01 23:51:47 |
| Message-ID: | 87zlnwnvjg.fsf@news-spur.riddles.org.uk |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers pljava-dev |
>>>>> "Tom" == Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> writes:
>> Tom, could you please elaborate where you see a security hole?
Tom> The problem that we've seen in the past shows up when the user
Tom> lies in the CREATE TYPE command, specifying type representation
Tom> properties that are different from what the underlying functions
Tom> expect. In particular, if it's possible to pass a pass-by-value
Tom> integer to a function that's expecting a pass-by-reference
Tom> datum, you can misuse the function to access backend memory.
It strikes me that type output functions are routinely invoked by
superusers (e.g. during pg_dump), and therefore if a non-superuser can
create a type, that seems to imply that there's no way for a superuser
to safely examine or dump the content of the database without risking
the execution of untrusted code, correct?
--
Andrew (irc:RhodiumToad)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2008-08-02 04:24:46 | Re: [HACKERS] Hint Bits and Write I/O |
| Previous Message | Andrew Gierth | 2008-08-01 23:35:55 | Re: WITH RECUSIVE patches 0723 |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Thomas Hallgren | 2008-08-02 06:44:09 | Re: Re: [Pljava-dev] Should creating a new base type require superuser status? |
| Previous Message | Tom Lane | 2008-08-01 21:42:41 | Re: Re: [Pljava-dev] Should creating a new base type require superuser status? |