Re: Non-superuser subscription owners
Robert Haas <robertmhaas@gmail.com>
From: Robert Haas <robertmhaas@gmail.com>
To: Andres Freund <andres@anarazel.de>
Cc: Mark Dilger <mark.dilger@enterprisedb.com>,
Jeff Davis <pgsql@j-davis.com>, Amit Kapila <amit.kapila16@gmail.com>, Andrew Dunstan <andrew@dunslane.net>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2023-02-06T19:07:39Z
Lists: pgsql-hackers
On Fri, Feb 3, 2023 at 3:47 AM Andres Freund <andres@anarazel.de> wrote: > On 2023-02-02 09:28:03 -0500, Robert Haas wrote: > > I don't know what you mean by this. DML doesn't confer privileges. If > > code gets executed and runs with the replication user's credentials, > > that could lead to privilege escalation, but just moving rows around > > doesn't, at least not in the database sense. > > Executing DML ends up executing code. Think predicated/expression > indexes, triggers, default expressions etc. If a badly written trigger > etc can be tricked to do arbitrary code exec, an attack will be able to > run with the privs of the run-as user. How bad that is is influenced to > some degree by the amount of privileges that user has. I spent some time studying this today. I think you're right. What I'm confused about is: why do we consider this situation even vaguely acceptable? Isn't this basically an admission that our logical replication security model is completely and totally broken and we need to fix it somehow and file for a CVE number? Like, in released branches, you can't even have a subscription owned by a non-superuser. But any non-superuser can set a default expression or create an enable always trigger and sure enough, if that table is replicated, the system will run that trigger as the subscription owner, who is a superuser. Which AFAICS means that if a non-superuser owns a table that is part of a subscription, they can instantly hack superuser. Which seems, uh, extremely bad. Am I missing something? Based on other remarks you made upthread, it seems like we ought to be doing the actual replication as the table owner, since the table owner has to be prepared for executable code attached to the table to be re-run on rows in the table at any table when somebody does a REINDEX. And then, in master, where there's some provision for non-superuser subscription owners, we maybe need to re-think the privileges required to replicate into a table in the first place. I don't think that having I/U/D permissions on a table is really sufficient to justify performing those operations *as the table owner*; perhaps the check ought to be whether you have the privileges of the table owner. -- Robert Haas EDB: http://www.enterprisedb.com
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Fix possible crash in tablesync worker.
- b5c517379a40 16.0 landed
-
Display 'password_required' option for \dRs+ command.
- 19e65dff38bd 16.0 landed
-
Restart the apply worker if the 'password_required' option is changed.
- c1cc4e688b60 16.0 landed
-
Fix possible logical replication crash.
- e7e7da2f8d57 16.0 landed
-
Add new predefined role pg_create_subscription.
- c3afe8cf5a1e 16.0 landed
-
Expand AclMode to 64 bits
- 7b378237aa80 16.0 cited
-
More cleanup of a2ab9c06ea.
- 96a6f11c0625 15.0 landed
-
Respect permissions within logical replication.
- a2ab9c06ea15 15.0 landed
-
Improve table locking behavior in the face of current DDL.
- 2ad36c4e44c8 9.2.0 cited