Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions
Ashutosh Sharma <ashu.coek88@gmail.com>
From: Ashutosh Sharma <ashu.coek88@gmail.com>
To: John H <johnhyvr@gmail.com>
Cc: Alexander Kukushkin <cyberdemn@gmail.com>,
Jelte Fennema-Nio <postgres@jeltef.nl>, Jeff Davis <pgsql@j-davis.com>,
Ashutosh Bapat <ashutosh.bapat.oss@gmail.com>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2024-06-18T04:14:54Z
Lists: pgsql-hackers
Hi John, On Tue, Jun 18, 2024 at 2:35 AM John H <johnhyvr@gmail.com> wrote: > > Hi Ashutosh, > > Thinking about this more, could you clarify the problem/issue at hand? > I think it's still not clear to me. > Yes, CREATE EXTENSION can create functions that lead to unexpected > privilege escalation, regardless > if they are SECURITY DEFINER or SECURITY INVOKER (if the function is > inadvertently executed by superuser). > But that's also true for a general CREATE FUNCTION call outside of extensions. > This specifically applies to extension functions, not standalone functions created independently. The difference is that installing extensions typically requires superuser privileges, which is not the case with standalone functions. -- With Regards, Ashutosh Sharma.