Re: BUG #18387: Erroneous permission checks and/or misleading error messages with refresh materialized view

Laurenz Albe <laurenz.albe@cybertec.at>

From: Laurenz Albe <laurenz.albe@cybertec.at>
To: Maxim Boguk <maxim.boguk@gmail.com>, Heikki Linnakangas <hlinnaka@iki.fi>
Cc: pgsql-bugs@lists.postgresql.org
Date: 2024-03-12T12:22:33Z
Lists: pgsql-bugs
On Tue, 2024-03-12 at 12:40 +0200, Maxim Boguk wrote:
> May I suggest a change to always allow superuser run
> REFRESH MATERIALIZED VIEW (may be via set role or similar mechanics)?

If the query ran with superuser permissions, that would be
a security problem:

  CREATE TABLE log (t text);

  CREATE FUNCTION f() RETURNS integer LANGUAGE sql
     AS 'INSERT INTO log VALUES (''x''); SELECT 42';

  CREATE MATERIALIZED VIEW v AS SELECT f();

Now imagine you create a malicious trigger on "log" and
get a superuser to refresh the materialized view.


I don't see why it should be a problem if a superuser gets
"permission denied" in such a case.  They can also get it if
they call a SECURITY DEFINER function owned by a non-superuser.

Yours,
Laurenz Albe