Home > mailing lists

Re: lowering privs in SECURITY DEFINER function - Mailing list pgsql-hackers

From	Alvaro Herrera
Subject	Re: lowering privs in SECURITY DEFINER function
Date	April 8, 2011 23:29:46
Msg-id	1302304657-sup-7248@alvh.no-ip.org Whole thread Raw
In response to	Re: lowering privs in SECURITY DEFINER function ("A.M." <agentm@themactionfaction.com>)
Responses	Re: lowering privs in SECURITY DEFINER function ("A.M." <agentm@themactionfaction.com>)
List	pgsql-hackers

Tree view

Excerpts from A.M.'s message of mié abr 06 19:08:35 -0300 2011:

> That's really strange considering that the new role may not normally
> have permission to switch to the original role. How would you handle
> the case where the security definer role is not the super user?

As I said to Jeff, it's up to the creator of the wrapper function to
ensure that things are safe.  Perhaps this new operation should only be
superuser-callable, for example.

> How would you prevent general SQL attacks when manually popping the
> authentication stack is allowed?

The popping and pushing operations would be restricted.  You can only
pop a single frame, and pushing it back before returning is mandatory.

-- 
Álvaro Herrera <alvherre@commandprompt.com>
The PostgreSQL Company - Command Prompt, Inc.
PostgreSQL Replication, Consulting, Custom Development, 24x7 support

pgsql-hackers by date:

From: Alvaro Herrera
Date: 08 April 2011, 23:19:24
Subject: Re: lowering privs in SECURITY DEFINER function

From: Tom Lane
Date: 09 April 2011, 00:02:52
Subject: Re: WIP: Allow SQL-language functions to reference parameters by parameter name

Re: lowering privs in SECURITY DEFINER function - Mailing list pgsql-hackers

Previous

Next