Re: PCI:SSF - Safe SQL Query & operators filter - Mailing list pgsql-general

From Jan Bilek
Subject Re: PCI:SSF - Safe SQL Query & operators filter
Date
Msg-id 915c39ef-5244-7682-0a2e-fffe17ba8490@eftlab.com.au
Whole thread Raw
In response to Re: PCI:SSF - Safe SQL Query & operators filter  (Laurenz Albe <laurenz.albe@cybertec.at>)
List pgsql-general
On 11/8/22 17:03, Laurenz Albe wrote:
> On Tue, 2022-11-08 at 04:14 +0000, Jan Bilek wrote:
>
>> I know it is not exactly what you suggested (and agreeing a lot with our
>> app user shouldn't be running as superuser), but as all other inputs
>> from our application come sanitized through bind and this is the only
>> way where user can send an explicit command in there - I think it should do!
>>
>> Please let me know if you approve.
> I strongly disapprove, and any security audit you pass with such a setup
> is worthless.  I repeat: the application does not need to connect with
> a superuser.
>
> I don't understand what you want to demonstrate with the code samples, or
> what you mean when you say that "the user can send an explicit command".
>
> Yours,
> Laurenz Albe

Interesting.

I agree that our app shouldn't need superuser, but that would mean that 
some ... you made me give it some serious though here.

Installation itself is happening under elevated (root) rights. We are 
using the postgres account for moving in all what's needed (e.g. that 
plpython3u extension). Walking though our code for most of the day, I 
can't see why that superuser would be really needed. Those plpython3u 
functions are wrapped up under the hood already. I'm sending that in to 
check if our QA will find anything.

Thanks for being stubborn about this!

Cheers,
Jan

-- 
Jan Bilek - CTO at EFTlab Pty Ltd.


pgsql-general by date:

Previous
From: Thomas Munro
Date:
Subject: Re: Segmentation Fault PG 14
Next
From: jian he
Date:
Subject: for integer/bigint type while format to scientific notation, automatically get the correct number of precision