Thread

Commits

  1. Document search_path security with untrusted dbowner or CREATEROLE.

  1. Schema Usage Patterns vs. dbowner or CREATEROLE

    Noah Misch <noah@leadboat.com> — 2019-10-13T01:35:12Z

    When I updated
    https://www.postgresql.org/docs/devel/ddl-schemas.html#DDL-SCHEMAS-PATTERNS
    for CVE-2018-1058, I wrote that some schema usage patterns are secure against
    CREATEROLE users and database owners.  That was incorrect.  Even with the
    first pattern, a database owner can attack the database's users via "CREATE
    SCHEMA trojan; ALTER DATABASE $mydb SET search_path = trojan, public;".  A
    CREATEROLE user can issue "GRANT $dbowner TO $me" and then use the database
    owner attack.  I plan to update this section to assert that all three usage
    patterns are equally vulnerable to dbowner and CREATEROLE attack.  (The
    technique described under "If untrusted users have access to a database ..."
    in libpq.sgml remains secure.)
    
    
    
    
  2. Re: Schema Usage Patterns vs. dbowner or CREATEROLE

    Noah Misch <noah@leadboat.com> — 2019-12-01T22:38:49Z

    On Sat, Oct 12, 2019 at 06:35:12PM -0700, Noah Misch wrote:
    > When I updated
    > https://www.postgresql.org/docs/devel/ddl-schemas.html#DDL-SCHEMAS-PATTERNS
    > for CVE-2018-1058, I wrote that some schema usage patterns are secure against
    > CREATEROLE users and database owners.  That was incorrect.  Even with the
    > first pattern, a database owner can attack the database's users via "CREATE
    > SCHEMA trojan; ALTER DATABASE $mydb SET search_path = trojan, public;".  A
    > CREATEROLE user can issue "GRANT $dbowner TO $me" and then use the database
    > owner attack.  I plan to update this section to assert that all three usage
    > patterns are equally vulnerable to dbowner and CREATEROLE attack.  (The
    > technique described under "If untrusted users have access to a database ..."
    > in libpq.sgml remains secure.)
    
    I'm attaching a patch for that.  Two of the patterns became so similar that I
    merged them.