Re: [GENERAL] Advisory on possibly insecure security definer functions
On Wed, 14 Feb 2007, Peter Eisentraut wrote: By installing functions or operators with appropriate signatures in other schemas, users can then redirect any function or operator call in the function code to implementations of their choice [snip] The proper fix for this problem is to insert explicit SET search_path commands into each affected function to produce a known safe schema search path. This fix is not enough in certain common configurations. I've sent a proof of concept to securityatpostgresql.org, but I won't disclose it before I'm allowed to by security team. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ---(end of broadcast)--- TIP 1: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
Re: [GENERAL] Advisory on possibly insecure security definer functions
On 2/13/07, Peter Eisentraut [EMAIL PROTECTED] wrote: The proper fix for this problem is to insert explicit SET search_path commands into each affected function to produce a known safe schema search path. Note that using the default search path, which includes a reference to the $user schema, is not safe when unqualified references are intended to be found in the public schema and $user schemas exist or can be created by other users. It is also not recommended to rely on rigorously schema-qualifying all function and operator invocations in function source texts, as such measures are likely to induce mistakes and will furthermore make the source code harder to read and maintain. Could you clarify what functions are going to get an explicit 'set search_path'? Will this change the behavior of any userland functions? merlin ---(end of broadcast)--- TIP 4: Have you searched our list archives? http://archives.postgresql.org/
Re: [GENERAL] Advisory on possibly insecure security definer functions
Am Mittwoch, 14. Februar 2007 16:31 schrieb Merlin Moncure: Could you clarify what functions are going to get an explicit 'set search_path'? Will this change the behavior of any userland functions? Nothing is going to get anything. You have to fix all affected functions yourself. -- Peter Eisentraut http://developer.postgresql.org/~petere/ ---(end of broadcast)--- TIP 2: Don't 'kill -9' the postmaster