Re: PCI:SSF - Safe SQL Query & operators filter - Mailing list pgsql-general

From Laurenz Albe
Subject Re: PCI:SSF - Safe SQL Query & operators filter
Date
Msg-id 5d4b5fcba15b2c871d83e99cae974c01c7bfc1dd.camel@cybertec.at
Whole thread Raw
In response to PCI:SSF - Safe SQL Query & operators filter  (Jan Bilek <jan.bilek@eftlab.com.au>)
List pgsql-general
On Tue, 2022-11-08 at 01:24 +0000, Jan Bilek wrote:
> I am leading PCI:SSF audit on our payment switch platform product and having a issue where our QSA
> just came with multiple ways how to escalate privileges and get a shell to the remote host through
> our built-in Reporting system which runs on PostgreSQL (12-14).

> So these - pg_read_server_files, pg_write_server_files and pg_execute_server_program roles are
> inherited from the Superuser and are also super sensitive for us, but our application user apparently
> still needs to be superuser for multiple reasons. Would there be any way to go around this?

Your application user doesn't need to be a superuser.

> 1/ What we need is to create a postgresql user who would be pg_database_owner but not superuser ...
>    but apparently we still need our user to be superuser to be able to carry on with some operations
>   (picking one of more then few) ....
> CREATE OR REPLACE LANGUAGE plpython3u; 
> HINT:  Must be superuser to create this extension.

Your application user doesn't need to create PL/Python functions.  It only has to use them.

If your application has to access the operating system, it has to do that in a controlled
fashion:

1. through well-written SECURITY DEFINER functions that belong to a highly privileged user

2. through PL/Python functions or other untrusted language functions that are created
   by a superuser

> 2/ Second option is to introduce some sort of limitation of allowed SQL queries and operators
>    for our Reporting engine, but all that white-listing / blacklisting comes with its own
>    problems where we are DB agnostic...

That shouldn't be necessary.  If your application user has restricted privileges as it should,
it is automatically limited in the damage it can do.

Yours,
Laurenz Albe



pgsql-general by date:

Previous
From: Jeffrey Walton
Date:
Subject: Re: PCI:SSF - Safe SQL Query & operators filter
Next
From: Laurenz Albe
Date:
Subject: Re: postgres replication without pg_basebackup? postgres 13.3