Re: Extension security improvement: Add support for extensions with an owned schema

From: Robert Haas <robertmhaas(at)gmail(dot)com>
To: Jelte Fennema-Nio <me(at)jeltef(dot)nl>
Cc: PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Extension security improvement: Add support for extensions with an owned schema
Date: 2024-06-19 15:28:46
Message-ID: CA+TgmoZEqpXGdzMNW99UGPhXa8TKu5eNCBu6doAu9T3ti3P1ow@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Sat, Jun 1, 2024 at 8:08 PM Jelte Fennema-Nio <me(at)jeltef(dot)nl> wrote:
> Writing the sql migration scripts that are run by CREATE EXTENSION and
> ALTER EXTENSION UPDATE are security minefields for extension authors.
> One big reason for this is that search_path is set to the schema of the
> extension while running these scripts, and thus if a user with lower
> privileges can create functions or operators in that schema they can do
> all kinds of search_path confusion attacks if not every function and
> operator that is used in the script is schema qualified. While doing
> such schema qualification is possible, it relies on the author to never
> make a mistake in any of the sql files. And sadly humans have a tendency
> to make mistakes.

I agree that this is a problem. I also think that the patch might be a
reasonable solution (but I haven't reviewed it).

But I wonder if there might also be another possible approach: could
we, somehow, prevent object references in extension scripts from
resolving to anything other than the system catalogs and the contents
of that extension? Perhaps with a control file setting to specify a
list of trusted extensions which we're also allowed to reference?

I have a feeling that this might be pretty annoying to implement, and
if that is true, then never mind. But if it isn't that annoying to
implement, it would make a lot of unsafe extensions safe by default,
without the extension author needing to take any action. Which could
be pretty cool. It would also make it possible for extensions to
safely share a schema, if desired.

--
Robert Haas
EDB: http://www.enterprisedb.com

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message jian he 2024-06-19 15:29:39 Re: SQL/JSON query functions context_item doc entry and type requirement
Previous Message David G. Johnston 2024-06-19 15:22:14 Re: Extension security improvement: Add support for extensions with an owned schema