Re: BUG #18387: Erroneous permission checks and/or misleading error messages with refresh materialized view

Bruce Momjian <bruce@momjian.us>

From: Bruce Momjian <bruce@momjian.us>
To: Laurenz Albe <laurenz.albe@cybertec.at>
Cc: Maxim Boguk <maxim.boguk@gmail.com>, Heikki Linnakangas <hlinnaka@iki.fi>, pgsql-bugs@lists.postgresql.org
Date: 2024-03-13T17:08:09Z
Lists: pgsql-bugs
On Tue, Mar 12, 2024 at 01:22:33PM +0100, Laurenz Albe wrote:
> On Tue, 2024-03-12 at 12:40 +0200, Maxim Boguk wrote:
> > May I suggest a change to always allow superuser run
> > REFRESH MATERIALIZED VIEW (may be via set role or similar mechanics)?
> 
> If the query ran with superuser permissions, that would be
> a security problem:
> 
>   CREATE TABLE log (t text);
> 
>   CREATE FUNCTION f() RETURNS integer LANGUAGE sql
>      AS 'INSERT INTO log VALUES (''x''); SELECT 42';
> 
>   CREATE MATERIALIZED VIEW v AS SELECT f();
> 
> Now imagine you create a malicious trigger on "log" and
> get a superuser to refresh the materialized view.
> 
> 
> I don't see why it should be a problem if a superuser gets
> "permission denied" in such a case.  They can also get it if
> they call a SECURITY DEFINER function owned by a non-superuser.

Can we improve the error that superusers get so they realize how to fix
it?

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

  Only you can decide what is important to you.