Re: [GENERAL] Advisory on possibly insecure security definer functions

[Tomasz Ostrowski]

On Wed, 14 Feb 2007, Peter Eisentraut wrote:

 By installing functions or operators with appropriate signatures in
 other schemas, users can then redirect any function or operator
 call in the function code to implementations of their choice
 [snip]
 The proper fix for this problem is to insert explicit SET search_path 
 commands into each affected function to produce a known safe schema 
 search path.

This fix is not enough in certain common configurations. I've sent a
proof of concept to securityatpostgresql.org, but I won't disclose
it before I'm allowed to by security team.

Regards
Tometzky
-- 
...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
were...
  Winnie the Pooh

---(end of broadcast)---
TIP 1: if posting/reading through Usenet, please send an appropriate
   subscribe-nomail command to [EMAIL PROTECTED] so that your
   message can get through to the mailing list cleanly

Re: [GENERAL] Advisory on possibly insecure security definer functions

[Merlin Moncure]

On 2/13/07, Peter Eisentraut [EMAIL PROTECTED] wrote:

The proper fix for this problem is to insert explicit SET search_path
commands into each affected function to produce a known safe schema
search path.  Note that using the default search path, which includes a
reference to the $user schema, is not safe when unqualified
references are intended to be found in the public schema and $user
schemas exist or can be created by other users.  It is also not
recommended to rely on rigorously schema-qualifying all function and
operator invocations in function source texts, as such measures are
likely to induce mistakes and will furthermore make the source code
harder to read and maintain.


Could you clarify what functions are going to get an explicit 'set
search_path'?  Will this change the behavior of any userland
functions?

merlin

---(end of broadcast)---
TIP 4: Have you searched our list archives?

  http://archives.postgresql.org/

Re: [GENERAL] Advisory on possibly insecure security definer functions

[Peter Eisentraut]

Am Mittwoch, 14. Februar 2007 16:31 schrieb Merlin Moncure:
 Could you clarify what functions are going to get an explicit 'set
 search_path'?  Will this change the behavior of any userland
 functions?

Nothing is going to get anything.  You have to fix all affected functions 
yourself.

-- 
Peter Eisentraut
http://developer.postgresql.org/~petere/

---(end of broadcast)---
TIP 2: Don't 'kill -9' the postmaster

[GENERAL] Advisory on possibly insecure security definer functions

[Peter Eisentraut]

It has come to the attention of the core team of the PostgreSQL project 
that insecure programming practice is widespread in SECURITY DEFINER 
functions.  Many of these functions are exploitable in that they allow 
users that have the privilege to execute such a function to execute 
arbitrary code with the privileges of the owner of the function.

The SECURITY DEFINER property of functions is a special non-default 
property that causes such functions to be executed with the privileges 
of their owner rather than with the privileges of the user invoking the 
function (the default mode, SECURITY INVOKER).  Thus, this mechanism is 
very similar to the setuid mechanism in Unix operating systems.

Because SQL object references in function code are resolved at run time, 
any references to SQL objects that are not schema qualified are 
resolved using the schema search path of the session at run time, which 
is under the control of the calling user.  By installing functions or 
operators with appropriate signatures in other schemas, users can then 
redirect any function or operator call in the function code to 
implementations of their choice, which, in case of SECURITY DEFINER 
functions, will still be executed with the function owner privileges.  
Note that even seemingly innocent invocations of arithmetic operators 
are affected by this issue, so it is likely that a large fraction of 
all existing functions are exploitable.

The proper fix for this problem is to insert explicit SET search_path 
commands into each affected function to produce a known safe schema 
search path.  Note that using the default search path, which includes a 
reference to the $user schema, is not safe when unqualified 
references are intended to be found in the public schema and $user 
schemas exist or can be created by other users.  It is also not 
recommended to rely on rigorously schema-qualifying all function and 
operator invocations in function source texts, as such measures are 
likely to induce mistakes and will furthermore make the source code 
harder to read and maintain.

This problem affects all existing PostgreSQL releases since version 7.3.  
Because this situation is a case of poor programming practice in 
combination with a design mistake and inadequate documentation, no 
security releases of PostgreSQL will be made to address this problem at 
this time.  Instead, all users are urged to hastily correct their code 
as described above.  Appropriate technological fixes for this problem 
are being investigated for inclusion with PostgreSQL 8.3.

---(end of broadcast)---
TIP 5: don't forget to increase your free space map settings