From: | "Zwettler Markus (OIZ)" <Markus(dot)Zwettler(at)zuerich(dot)ch> |
---|---|
To: | Joe Conway <mail(at)joeconway(dot)com>, "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
Subject: | AW: [Extern] Re: PG16.1 security breach? |
Date: | 2024-06-07 13:54:23 |
Message-ID: | GV0P278MB00993C93868025F89845F58D8BFB2@GV0P278MB0099.CHEP278.PROD.OUTLOOK.COM |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
> -----Ursprüngliche Nachricht-----
> Von: Joe Conway <mail(at)joeconway(dot)com>
> Gesendet: Freitag, 7. Juni 2024 15:22
> An: Zwettler Markus (OIZ) <Markus(dot)Zwettler(at)zuerich(dot)ch>; pgsql-
> general(at)lists(dot)postgresql(dot)org
> Betreff: [Extern] Re: PG16.1 security breach?
>
> On 6/7/24 07:04, Zwettler Markus (OIZ) wrote:
> > I am running the following on Postgres 16.1 in database "postgres" as
> > a
> > superuser:
>
> <snip>
>
> > create or replace function oiz.f_set_dbowner (p_dbowner text, p_dbname
> > text)
>
> <snip>
>
> > create role testuser with password 'testuser' login;
>
> <snip>
>
> > than this new role is able to execute the function oiz.f_set_dbowner
> > immediately even I did not grant execute on this function to this role!
>
> See:
> https://www.postgresql.org/docs/current/sql-createfunction.html
>
> In particular, this part:
> 8<------------------------
> Another point to keep in mind is that by default, execute privilege is granted to
> PUBLIC for newly created functions (see Section 5.7 for more information).
> Frequently you will wish to restrict use of a security definer function to only some
> users. To do that, you must revoke the default PUBLIC privileges and then grant
> execute privilege selectively.
> To avoid having a window where the new function is accessible to all, create it and
> set the privileges within a single transaction. For example:
> 8<------------------------
>
> HTH,
>
> --
> Joe Conway
> PostgreSQL Contributors Team
> RDS Open Source Databases
> Amazon Web Services: https://aws.amazon.com
>
> --- Externe Email: Vorsicht mit Anhängen, Links oder dem Preisgeben von
> Informationen ---
Argh. No! What a bad habit!
Might be good idea for an enhancement request to create a global parameter to disable this habit.
Thanks Markus
From | Date | Subject | |
---|---|---|---|
Next Message | David G. Johnston | 2024-06-07 14:16:04 | Re: PG16.1 security breach? |
Previous Message | Joe Conway | 2024-06-07 13:22:21 | Re: PG16.1 security breach? |