On Mon, Apr 19, 2021 at 07:15:23PM -0700, Mark Dilger wrote: > There is another issue to consider. Installing pg_amcheck in no way > opens up an avenue of attack that I can see. It is just a client > application with no special privileges. But installing amcheck > arguably opens a line of attack; not one as significant as > installing pageinspect, but of the same sort. Amcheck allows > privileged database users to potentially get information from the > tables that would otherwise be invisible even to them according to > mvcc rules. (Is this already the case via some other functionality? > Maybe this security problem already exists?) If the privileged > database user has file system access, then this is not at all > concerning, since they can already just open the files in a tool of > their choice, but I don't see any reason why installations should > require that privileged database users also be privileged to access > the file system.
By default, any functions deployed with amcheck have their execution rights revoked from public, meaning that only a superuser can run them with a default installation. A non-superuser could execute them only once GRANT'd access to them. -- Michael
signature.asc
Description: PGP signature