Re: pg_amcheck option to install extension
Michael Paquier <michael@paquier.xyz>
From: Michael Paquier <michael@paquier.xyz>
To: Mark Dilger <mark.dilger@enterprisedb.com>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Andrew Dunstan <andrew@dunslane.net>, Alvaro Herrera <alvherre@alvh.no-ip.org>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2021-04-20T03:06:55Z
Lists: pgsql-hackers
On Mon, Apr 19, 2021 at 07:15:23PM -0700, Mark Dilger wrote: > There is another issue to consider. Installing pg_amcheck in no way > opens up an avenue of attack that I can see. It is just a client > application with no special privileges. But installing amcheck > arguably opens a line of attack; not one as significant as > installing pageinspect, but of the same sort. Amcheck allows > privileged database users to potentially get information from the > tables that would otherwise be invisible even to them according to > mvcc rules. (Is this already the case via some other functionality? > Maybe this security problem already exists?) If the privileged > database user has file system access, then this is not at all > concerning, since they can already just open the files in a tool of > their choice, but I don't see any reason why installations should > require that privileged database users also be privileged to access > the file system. By default, any functions deployed with amcheck have their execution rights revoked from public, meaning that only a superuser can run them with a default installation. A non-superuser could execute them only once GRANT'd access to them. -- Michael
Commits
-
Provide pg_amcheck with an --install-missing option
- b859d94c6389 14.0 landed