Home > mailing lists

Re: Wrong security context for deferred triggers? - Mailing list pgsql-hackers

From	Laurenz Albe
Subject	Re: Wrong security context for deferred triggers?
Date	September 10 03:14:30
Msg-id	77b89e609f21380785865542609fbc14010021c8.camel@cybertec.at Whole thread Raw
In response to	Re: Wrong security context for deferred triggers? (Laurenz Albe <laurenz.albe@cybertec.at>)
List	pgsql-hackers

Tree view

On Wed, 2024-03-06 at 14:32 +0100, Laurenz Albe wrote:
> On Mon, 2023-11-06 at 18:29 +0100, Tomas Vondra wrote:
> > On 11/6/23 14:23, Laurenz Albe wrote:
> > > This behavior looks buggy to me.  What do you think?
> > > I cannot imagine that it is a security problem, though.
> >
> > How could code getting executed under the wrong role not be a security
> > issue? Also, does this affect just the role, or are there some other
> > settings that may unexpectedly change (e.g. search_path)?
>
> Here is a patch that fixes this problem by keeping track of the
> current role in the AfterTriggerSharedData.

Funny enough, this problem has just surfaced on pgsql-general:
https://postgr.es/m/89e33a53-909c-6a02-bfc6-2578ba974e16@cloud.gatewaynet.com

I take this as one more vote for this patch...
Yours,
Laurenz Albe

pgsql-hackers by date:

From: Peter Geoghegan
Date: 10 September, 02:54:57
Subject: Re: Adding skip scan (including MDAM style range skip scan) to nbtree

From: Daniel Gustafsson
Date: 10 September, 03:20:28
Subject: Re: optimizing pg_upgrade's once-in-each-database steps

Re: Wrong security context for deferred triggers? - Mailing list pgsql-hackers

Previous

Next