Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions

Jeff Davis <pgsql@j-davis.com>

From: Jeff Davis <pgsql@j-davis.com>
To: Robert Haas <robertmhaas@gmail.com>, John H <johnhyvr@gmail.com>
Cc: Alexander Kukushkin <cyberdemn@gmail.com>, Ashutosh Sharma <ashu.coek88@gmail.com>, Jelte Fennema-Nio <postgres@jeltef.nl>, Ashutosh Bapat <ashutosh.bapat.oss@gmail.com>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2024-06-12T20:52:31Z
Lists: pgsql-hackers
On Wed, 2024-06-12 at 15:36 -0400, Robert Haas wrote:
> But I think there's another problem, which is
> that if the extension is relocatable, how do you set a secure
> search_path? You could say SET search_path = foo, pg_catalog if you
> know the extension will be installed in schema foo, but if you don't
> know in what schema the extension will be installed, then what are
> you
> supposed to do? The proposal of litting $extension_schema could help
> with that ...
> 
> ...except I'm not sure that's really a full solution either, because
> what if the extension is installed into a schema that's writable by
> others, like public?

Jelte proposed something to fix that here:

https://www.postgresql.org/message-id/CAGECzQQzDqDzakBkR71ZkQ1N1ffTjAaruRSqppQAKu3WF%2B6rNQ%40mail.gmail.com


Regards,
	Jeff Davis