Re: PCI:SSF - Safe SQL Query & operators filter - Mailing list pgsql-general

From Jan Bilek
Subject Re: PCI:SSF - Safe SQL Query & operators filter
Date
Msg-id f413286c-ae0f-2649-4288-5f614e7453ef@eftlab.com.au
Whole thread Raw
In response to Re: PCI:SSF - Safe SQL Query & operators filter  (Christophe Pettus <xof@thebuild.com>)
Responses Re: PCI:SSF - Safe SQL Query & operators filter
List pgsql-general
On 11/8/22 11:50, Christophe Pettus wrote:
>
>> On Nov 7, 2022, at 17:43, Jan Bilek <jan.bilek@eftlab.com.au> wrote:
>>
>> Well, superuser (our App) is already logged in and as it is designed
>> very much as an "appliance" it simply does that job - manages its
>> database.
> Well... don't do that. :)  The problem is analogous to having root log into a Linux box and run application commands.
It works, but it opens a security hole, as you've discovered.
 
>
>> Yes, agreed. Any ideas?
> In this particular case (creating an untrusted PL and functions therein), you'll need to use a PostgreSQL superuser.
Thisis a separate operation from routine application use, though.  (I'll note that having functions in an untrusted PL
ina PCI-sensitive system is not a great idea, as you'll need to audit them very closely to make sure that they can't do
anythinguntoward outside the role system.)
 

Thank you David, Laurentz & Christophe,

All excellent inputs.

I've realized that our reporting feature is wrapped-bound in a 
Transaction & Rollback. This actually came with an idea to Alter that 
role as a part of transaction.

It works in an excellent way!

BEGIN TRANSACTION;
alter role CURRENT_USER with NOSUPERUSER;
select * from pg_read_file('/etc/passwd' , 0 , 1000000);
ROLLBACK TRANSACTION;
BEGIN
ALTER ROLE
ERROR:  permission denied for function pg_read_file
ROLLBACK
bp-node=#

Even trying to break it seems to be difficult.

BEGIN TRANSACTION;
alter role CURRENT_USER with NOSUPERUSER;
alter role CURRENT_USER with SUPERUSER;
ROLLBACK TRANSACTION;
BEGIN
ALTER ROLE
ERROR:  must be superuser to alter superuser roles or change superuser 
attribute
ROLLBACK

I know it is not exactly what you suggested (and agreeing a lot with our 
app user shouldn't be running as superuser), but as all other inputs 
from our application come sanitized through bind and this is the only 
way where user can send an explicit command in there - I think it should do!

Please let me know if you approve.

Thanks & Cheers,
Jan

-- 
Jan Bilek - CTO at EFTlab Pty Ltd.


pgsql-general by date:

Previous
From: Laurenz Albe
Date:
Subject: Re: postgres replication without pg_basebackup? postgres 13.3
Next
From: Ashesh Vashi
Date:
Subject: Re: My account was locked in pgadmin4