On Mon, Apr 19, 2021 at 07:15:23PM -0700, Mark Dilger wrote:
> There is another issue to consider. Installing pg_amcheck in no way
> opens up an avenue of attack that I can see. It is just a client
> application with no special privileges. But installing amcheck
> arguably opens a line of attack; not one as significant as
> installing pageinspect, but of the same sort. Amcheck allows
> privileged database users to potentially get information from the
> tables that would otherwise be invisible even to them according to
> mvcc rules. (Is this already the case via some other functionality?
> Maybe this security problem already exists?) If the privileged
> database user has file system access, then this is not at all
> concerning, since they can already just open the files in a tool of
> their choice, but I don't see any reason why installations should
> require that privileged database users also be privileged to access
> the file system.
By default, any functions deployed with amcheck have their execution
rights revoked from public, meaning that only a superuser can run them
with a default installation. A non-superuser could execute them only
once GRANT'd access to them.
--
Michael
