Re: pg_amcheck option to install extension

Mark Dilger <mark.dilger@enterprisedb.com>

From: Mark Dilger <mark.dilger@enterprisedb.com>
To: Michael Paquier <michael@paquier.xyz>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Andrew Dunstan <andrew@dunslane.net>, Alvaro Herrera <alvherre@alvh.no-ip.org>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2021-04-20T05:31:18Z
Lists: pgsql-hackers

> On Apr 19, 2021, at 9:22 PM, Michael Paquier <michael@paquier.xyz> wrote:
> 
> On Mon, Apr 19, 2021 at 08:39:06PM -0700, Mark Dilger wrote:
>> This is a classic privilege escalation attack.  Bob has one
>> privilege, and uses it to get another.
> 
> Bob is a superuser, so it has all the privileges of the world for this
> instance.  In what is that different from BASE_BACKUP or just COPY
> FROM PROGRAM?

I think you are conflating the concept of an operating system adminstrator with the concept of the database superuser/owner.  If the operating system user that postgres is running as cannot execute any binaries, then "copy from program" is not a way for a database admistrator to escape the jail.  If Bob does not have ssh access to the system, he cannot run pg_basebackup. 

> I am not following your argument here.

The argument is that the operating system user that postgres is running as, perhaps user "postgres", can read the files in the $PGDATA directory, but Bob can only see the MVCC view of the data, not the raw data.  Installing contrib/amcheck allows Bob to get a peak behind the curtain.

—
Mark Dilger
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company






Commits

  1. Provide pg_amcheck with an --install-missing option