| From: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
|---|---|
| To: | PostgreSQL Development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | CREATE CONSTRAINT TRIGGER appears to be a security hole |
| Date: | 2002-08-14 17:09:25 |
| Message-ID: | Pine.LNX.4.44.0208141832360.20055-100000@localhost.localdomain |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
While the REFERENCES privilege controls who can create foreign keys
referring to one's tables, it seems you can evade it by using CREATE
CONSTRAINT TRIGGER directly.
This is the "slave" portion of a FK constraint I got from pg_dump:
CREATE CONSTRAINT TRIGGER "$1"
AFTER INSERT OR UPDATE ON "slave"
FROM master
NOT DEFERRABLE INITIALLY IMMEDIATE
FOR EACH ROW
EXECUTE PROCEDURE "RI_FKey_check_ins" ('$1', 'slave', 'master', 'UNSPECIFIED', 'x', 'a');
To create this you only need to have a privilege on "slave", but it
creates a fully functional way to "query" the primary key of the master
table by brute force, and probably also to lock the table up, although I
haven't checked that.
It seems we need to check the privilege on the table mentioned in the FROM
"foo" clause as well. Is that correct and sufficient?
--
Peter Eisentraut peter_e(at)gmx(dot)net
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2002-08-14 17:09:39 | pg_dump output portability |
| Previous Message | Bruce Momjian | 2002-08-14 17:04:20 | Re: Open 7.3 items |