| From: | Ben Tilly <btilly(at)gmail(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-sql(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Is this a security oversight? |
| Date: | 2021-08-10 18:40:53 |
| Message-ID: | CANoac9Xh-Z9Sv3kF2fUm5c3wfGCmB2gZHDphr5ABzV++zPUGOw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-sql |
Bizarre, I thought I had tested that by dropping superuser and trying it.
But I must not have.
In that case please modify this to a request to allow casts to be created
by a superuser without having to change the ownership of the objects
involved.
On Tue, Aug 10, 2021 at 11:32 AM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Ben Tilly <btilly(at)gmail(dot)com> writes:
> > As a security rule, you cannot create a cast without owning one of the
> > types.
>
> Check.
>
> > The following code successfully creates it, not as postgres and not as a
> > superuser.
>
> Really? When I try that as an ordinary user, I get
>
> ERROR: must be owner of type boolean
> CONTEXT: SQL statement "ALTER TYPE bool OWNER TO current_user"
> PL/pgSQL function inline_code_block line 12 at SQL statement
>
> If there is a way where that actually does work without superuser
> privileges, please send the details to security(at)postgresql(dot)org(dot)
>
> regards, tom lane
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2021-08-10 18:45:22 | Re: Is this a security oversight? |
| Previous Message | Tom Lane | 2021-08-10 18:32:10 | Re: Is this a security oversight? |