invoker function security issues - Mailing list pgsql-hackers
From | Virender Singla |
---|---|
Subject | invoker function security issues |
Date | |
Msg-id | CAM6Zo8wpK+DEknNNvVfGj6wF2GCPzS0n55q9k0=1JTXkYazNtQ@mail.gmail.com Whole thread Raw |
Responses |
Re: invoker function security issues
|
List | pgsql-hackers |
I believe functions in Postgres follow a late binding approach and hence nested function dependencies are resolved using search_path at run time. This way a user can override nested functions in its schema and change the behaviour of wrapper functions. However, a more serious issue is when functional Indexes (with nested function calls) are created on a table and then the data inserted in Indexes could be entirely dependent on which user is inserting the data (by overriding nested function).
I performed a couple of test cases where data inserted is dependent on the user overriding nested functions. I understand this is not the best practice to scatter functions/indexes/tables in different different schemas and use such kind schema setup but I still expect Postgres to save us from such data inconsistencies issues by using early binding for functional Indexes. In fact Postgres does that linking for a single function Index (where no nested function are there) and qualifies the function used in the Index with its schema name and also it works in cases where all functions, table, Indexes are present in the same schema.
However still there are cases where functional Indexes are created on extension functions (For Ex - cube extension) which are present in different schemas and then those cube functions are defined as invoker security type with nested functions calls without any schema qualification.
Issue that would arise with late binding for functional Indexes is that when we are migrating such tables/indexes/data from one database to another (using pg_dump/pg_restore or any other method) data can be changed depending on which user we are using for import.
(These tests i performed using invoker functions, i think definer functions produce correct behavior). One way would be to define search_path for such nested functions.
- =========Case1======
- ##Table and functions are in different schemas.
- Session1::
- User:Postgres
- create user idxusr1 with password '*****';
- grant idxusr1 to postgres;
- create schema idxusr1 AUTHORIZATION idxusr1;
- create user idxusr2 with password '*****';
- grant idxusr2 to postgres;
- create schema idxusr2 AUTHORIZATION idxusr2;
- Session2::
- User:idxusr1
- set search_path to idxusr1,public;
- CREATE FUNCTION sumcall(int, int) RETURNS int LANGUAGE SQL IMMUTABLE STRICT PARALLEL SAFE AS 'SELECT ($1+$2)';
- CREATE FUNCTION wrapsum(int, int) RETURNS int LANGUAGE SQL IMMUTABLE STRICT PARALLEL SAFE AS 'SELECT sumcall($1,$2)';
- ##create table in another schema
- create table public.test(n1 int);
- create unique index idxtst on public.test(idxusr1.wrapsum(n1,1));
- grant insert on table public.test to idxusr2;
- postgres=> insert into test values(1);
- INSERT 0 1
- postgres=> insert into test values(1);
- ERROR: duplicate key value violates unique constraint "idxtst"
- DETAIL: Key (wrapsum(n1, 1))=(2) already exists.
- Session3::
- User:idxusr2
- set search_path to idxusr2,public;
- CREATE FUNCTION sumcall(int, int) RETURNS int LANGUAGE SQL IMMUTABLE STRICT PARALLEL SAFE AS 'SELECT ($1 - $2)';
- postgres=> insert into test values(1);
- INSERT 0 1
- postgres=> insert into test values(1);
- ERROR: duplicate key value violates unique constraint "idxtst"
- DETAIL: Key (idxusr1.wrapsum(n1, 1))=(0) already exists.
- ======Case2==========
- ##Functions are in different schemas.
- Session1::
- User:Postgres
- create user idxusr1 with password '*****';
- grant idxusr1 to postgres;
- create schema idxusr1 AUTHORIZATION idxusr1;
- create user idxusr2 with password '*****';
- grant idxusr2 to postgres;
- create schema idxusr2 AUTHORIZATION idxusr2;
- Session2::
- User:idxusr1
- set search_path to idxusr1,public;
- ##create internal function in own schema and wrapper function in another schema.
- CREATE FUNCTION sumcall(int, int) RETURNS int LANGUAGE SQL IMMUTABLE STRICT PARALLEL SAFE AS 'SELECT ($1+$2)';
- CREATE FUNCTION public.wrapsum(int, int) RETURNS int LANGUAGE SQL IMMUTABLE STRICT PARALLEL SAFE AS 'SELECT sumcall($1,$2)';
- create table test(n1 int);
- create unique index idxtst on test(public.wrapsum(n1,1));
- grant usage on schema idxusr1 to idxusr2;
- grant insert on table test to idxusr2;
- postgres=> insert into test values(1);
- INSERT 0 1
- postgres=> insert into test values(1);
- ERROR: duplicate key value violates unique constraint "idxtst"
- DETAIL: Key (wrapsum(n1, 1))=(2) already exists.
- Session3::
- User:idxusr2
- set search_path to idxusr2,public;
- CREATE FUNCTION sumcall(int, int) RETURNS int LANGUAGE SQL IMMUTABLE STRICT PARALLEL SAFE AS 'SELECT ($1 - $2)';
- postgres=> insert into idxusr1.test values(1);
- INSERT 0 1
- postgres=> insert into idxusr1.test values(1);
- ERROR: duplicate key value violates unique constraint "idxtst"
- DETAIL: Key (wrapsum(n1, 1))=(0) already exists.
- postgres=>
pgsql-hackers by date: