Re: Schema Usage Patterns vs. dbowner or CREATEROLE
Noah Misch <noah@leadboat.com>
From: Noah Misch <noah@leadboat.com>
To: pgsql-docs@postgresql.org
Date: 2019-12-01T22:38:49Z
Lists: pgsql-docs
Attachments
- dbowner-schema-security-doc-v1.patch (text/x-diff) patch v1
On Sat, Oct 12, 2019 at 06:35:12PM -0700, Noah Misch wrote: > When I updated > https://www.postgresql.org/docs/devel/ddl-schemas.html#DDL-SCHEMAS-PATTERNS > for CVE-2018-1058, I wrote that some schema usage patterns are secure against > CREATEROLE users and database owners. That was incorrect. Even with the > first pattern, a database owner can attack the database's users via "CREATE > SCHEMA trojan; ALTER DATABASE $mydb SET search_path = trojan, public;". A > CREATEROLE user can issue "GRANT $dbowner TO $me" and then use the database > owner attack. I plan to update this section to assert that all three usage > patterns are equally vulnerable to dbowner and CREATEROLE attack. (The > technique described under "If untrusted users have access to a database ..." > in libpq.sgml remains secure.) I'm attaching a patch for that. Two of the patterns became so similar that I merged them.
Commits
-
Document search_path security with untrusted dbowner or CREATEROLE.
- 08395e592cbc 9.4.26 landed
- b97857b67659 11.7 landed
- 690974297661 10.12 landed
- 3056258149c1 9.5.21 landed
- 0c1008dd455a 9.6.17 landed
- cc4371dc3453 12.2 landed
- fd5e16e782fc 13.0 landed