CREATE CONSTRAINT TRIGGER appears to be a security hole - Mailing list pgsql-hackers

From Peter Eisentraut
Subject CREATE CONSTRAINT TRIGGER appears to be a security hole
Date
Msg-id Pine.LNX.4.44.0208141832360.20055-100000@localhost.localdomain
Whole thread Raw
Responses Re: CREATE CONSTRAINT TRIGGER appears to be a security hole
List pgsql-hackers
While the REFERENCES privilege controls who can create foreign keys
referring to one's tables, it seems you can evade it by using CREATE
CONSTRAINT TRIGGER directly.

This is the "slave" portion of a FK constraint I got from pg_dump:

CREATE CONSTRAINT TRIGGER "$1"   AFTER INSERT OR UPDATE ON "slave"   FROM master   NOT DEFERRABLE INITIALLY IMMEDIATE
FOREACH ROW   EXECUTE PROCEDURE "RI_FKey_check_ins" ('$1', 'slave', 'master', 'UNSPECIFIED', 'x', 'a');
 

To create this you only need to have a privilege on "slave", but it
creates a fully functional way to "query" the primary key of the master
table by brute force, and probably also to lock the table up, although I
haven't checked that.

It seems we need to check the privilege on the table mentioned in the FROM
"foo" clause as well.  Is that correct and sufficient?

-- 
Peter Eisentraut   peter_e@gmx.net



pgsql-hackers by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: Open 7.3 items
Next
From: Peter Eisentraut
Date:
Subject: pg_dump output portability