Re: [PATCHES] Re: [PATCH] Re: Setuid functions - Mailing list pgsql-hackers

From Mark Volpe
Subject Re: [PATCHES] Re: [PATCH] Re: Setuid functions
Date
Msg-id 3B4CCE00.D9B60127@epa.gov
Whole thread Raw
In response to Re: [PATCHES] Re: [PATCH] Re: Setuid functions  (Peter Eisentraut <peter_e@gmx.net>)
Responses Re: [PATCHES] Re: [PATCH] Re: Setuid functions
List pgsql-hackers
Good point. Would the issue be resolved by either:

- Only allowing the database superuser to use this mechanism?
- Allowing it only in trigger functions? (That way a user has to actually own
one of the tables)

Mark

Peter Eisentraut wrote:
> 
> Bruce Momjian writes:
> 
> > > Peter might be referring to this:
> > >
> > > http://fts.postgresql.org/db/mw/msg.html?mid=1022775
> > >
> > > There was some discussion afterward, but I don't think a definite conclusion
> > > was reached.
> >
> > But I see Tom Lane saying he doesn't see a security issue:
> >
> >       http://fts.postgresql.org/db/mw/msg.html?mid=1022758
> >
> > I don't pretend to understand it.  Just tell me what to do with the
> > patch.  :-)
> 
> The problem with setuid functions in general is that a database user can
> effectively re-grant privileges to which he has no grant privileges.
> E.g.,
> 
> user1=> create table table1 (id int, secret_content text);
> user1=> grant select on test to user2;
> 
> /* made up the syntax */
> user2=> create function testfunc (int) returns text as '
> user2'>   begin
> user2'>     set authorization definer;
> user2'>     return select secret_content from table1 where id = $1;
> user2'>   end;' as 'plpgsql';
> 
> user3=> select * from table1 where id = 5;
> (fails)
> user3=> select testfunc(5);
> (succeeds)
> 
> Tom has a point that as soon as user2 has the select privilege, he can
> make a private copy of table1 and send it to user3.
> 
> But if you take this attitude you might as well get rid of the
> fine-grained privilege system, you'd just need 'select to public'.  Also,
> there may be other security or at least auditing mechanisms to supervise
> the communication between user2 and user3.  Or maybe user2 and user3 are
> just pseudo-users implementing some sort of "least privilege" paranoid
> design.
> 
> At least we should discuss whether we'd eventually like to have grantable
> privileges, and if so, how this would fit in.
> 
> --
> Peter Eisentraut   peter_e@gmx.net   http://funkturm.homeip.net/~peter


pgsql-hackers by date:

Previous
From: Peter Eisentraut
Date:
Subject: Re: [PATCHES] Re: [PATCH] Re: Setuid functions
Next
From: Mark
Date:
Subject: Re: vacuum problems