Home > mailing lists

Re: BUG #18936: Trigger enable users to modify the tables which hedoesn't have privilege - Mailing list pgsql-bugs

From	ZhangChi
Subject	Re: BUG #18936: Trigger enable users to modify the tables which hedoesn't have privilege
Date	May 24 06:06:24
Msg-id	tencent_6FB22713DA38A8D08B25F3DDD06B9C792B07@qq.com Whole thread Raw
In response to	Re: BUG #18936: Trigger enable users to modify the tables which he doesn't have privilege (Laurenz Albe <laurenz.albe@cybertec.at>)
List	pgsql-bugs

Tree view

Thanks for your reply!

However, it is common in some database servers for an attacker to gain minimal privileges on a single table within a target database. For instance, when registering an account on a service, the system might grant the user access to a dedicated table. Using the TRIGGER mechanism as I showed, such an attacker could then delete or exfiltrate data from other tables beyond their authorized access. Notably, this attack doesn't require superuser privileges - only access to the two relevant tables.

Permitting users to create triggers that can affect tables beyond their privilege scope appears to be a problematic design choice. Such triggers may be inadvertently executed by privileged users without their knowledge, creating potential security vulnerabilities.

pgsql-bugs by date:

From: Masahiko Sawada
Date: 23 May, 20:31:54
Subject: Re: Logical replication 'invalid memory alloc request size 1585837200' after upgrading to 17.5

From: Laurenz Albe
Date: 24 May, 08:09:56
Subject: Re: BUG #18936: Trigger enable users to modify the tables which hedoesn't have privilege

Re: BUG #18936: Trigger enable users to modify the tables which hedoesn't have privilege - Mailing list pgsql-bugs

Previous

Next