From: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
---|---|
To: | "digoal(at)126(dot)com" <digoal(at)126(dot)com> |
Cc: | "pgsql-bugs(at)postgresql(dot)org" <pgsql-bugs(at)postgresql(dot)org> |
Subject: | Re: BUG #13651: trigger security invoker attack |
Date: | 2015-09-29 15:48:12 |
Message-ID: | CAKFQuwa3coX=mS-SFN5rvGZELeaYFysHY3SdJPfWP4Ncr5LT0A@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
On Tuesday, September 29, 2015, <digoal(at)126(dot)com> wrote:
> The following bug has been logged on the website:
>
> Bug reference: 13651
> Logged by: digoal
> Email address: digoal(at)126(dot)com <javascript:;>
> PostgreSQL version: 9.4.4
> Operating system: CentOS 6.x x64
> Description:
>
> In my database, there have two role, one normal user, one superuser.
>
> postgres=# \dt
> List of relations
> Schema | Name | Type | Owner
> --------+------------------+-------+----------
> public | customer_reviews | table | postgres
> public | t | table | digoal
> public | t1 | table | postgres
> public | t2 | table | postgres
> public | t3 | table | postgres
>
>
>
Elided truncate trigger dropping t1...
> And rule is security.
> postgres=# \c postgres digoal
> You are now connected to database "postgres" as user "digoal".
> postgres=> create rule r1 as on delete to t do instead delete from t1;
> CREATE RULE
> postgres=> delete from t;
> ERROR: permission denied for relation t1
>
>
I'm surprised this works since t1 shouldn't exist...
postgres=> \c postgres postgres
> You are now connected to database "postgres" as user "postgres".
> postgres=# \set VERBOSITY verbose
> postgres=# delete from t;
> ERROR: 42501: permission denied for relation t1
> LOCATION: aclcheck_error, aclchk.c:3371
>
>
But since t1 does exist and t is owned by digoal the fact that this fails
with a permission error is unsurprising. Rules execute as the owner of the
relation to which they are attached in order to facilitate data hiding,
David J.
From | Date | Subject | |
---|---|---|---|
Next Message | David G. Johnston | 2015-09-29 15:50:14 | BUG #13652: Function names as a table prefiex by underscore, confused with array |
Previous Message | Tom Lane | 2015-09-29 15:35:44 | Re: BUG #13652: Function names as a table prefiex by underscore, confused with array |