Re: SQL-standard function bodies and creating SECURITY DEFINER routines securely - Mailing list pgsql-docs
| From | Erki Eessaar |
|---|---|
| Subject | Re: SQL-standard function bodies and creating SECURITY DEFINER routines securely |
| Date | |
| Msg-id | AM9PR01MB8268FB1629B5AAF1680E0594FE5C9@AM9PR01MB8268.eurprd01.prod.exchangelabs.com Whole thread Raw |
| In response to | Re: SQL-standard function bodies and creating SECURITY DEFINER routines securely (Bruce Momjian <bruce@momjian.us>) |
| Responses |
Re: SQL-standard function bodies and creating SECURITY DEFINER routines securely
|
| List | pgsql-docs |
Hello
I confirmed, that setting search_path is indeed sometimes needed in case of SECURITY DEFINER routines that have SQL-standard bodies. See an example at the end of the letter.
I suggest the following paragraph to the documentation:
Starting from PostgreSQL 14 SQL-standard bodies can be used in SQL-language functions. This form tracks dependencies between the function and objects used in the function body. However, there is still a possibility that such function calls other code that reacts to search path. Thus, as a best practice, SECURITY DEFINER functions with SQL-standard bodies should also override search_path.
Best regards
Erki Eessaar
*************************
/*Table in the schema public.*/
CREATE TABLE public.A(a INTEGER PRIMARY KEY);
/*Table in the schema pg_temp.*/
CREATE TABLE pg_temp.A(a INTEGER PRIMARY KEY);
/*SECURITY DEFINER function without SQL-standard function body.*/
CREATE OR REPLACE FUNCTION f1 () RETURNS VOID
AS $$
INSERT INTO A(a) VALUES (1);
$$ LANGUAGE sql SECURITY DEFINER;
/*SECURITY DEFINER function with SQL-standard function body that invokes
the function without SQL-standard function body. It does not explicitly set the search path.*/
CREATE OR REPLACE FUNCTION f2 () RETURNS VOID
LANGUAGE sql SECURITY DEFINER
BEGIN ATOMIC
SELECT f1();
END;
/*SECURITY DEFINER function with SQL-standard function body that invokes
the function without SQL-standard function body. It does explicitly set the search path.*/
CREATE OR REPLACE FUNCTION f2_secure () RETURNS VOID
LANGUAGE sql SECURITY DEFINER
SET search_path = public, pg_temp
BEGIN ATOMIC
SELECT f1();
END;
SELECT f2();
SELECT * FROM public.A;
/*Result 0 rows.*/
SELECT * FROM pg_temp.A;
/*Result 1 row.*/
DELETE FROM pg_temp.A;
SELECT f2_secure();
SELECT * FROM public.A;
/*Result 1 row. SET search_path in the invoking function had an effect to the invoked function*/
SELECT * FROM pg_temp.A;
/*Result 0 rows.*/
From: Bruce Momjian <bruce@momjian.us>
Sent: Wednesday, September 28, 2022 8:07 PM
To: Erki Eessaar <erki.eessaar@taltech.ee>
Cc: pgsql-docs@lists.postgresql.org <pgsql-docs@lists.postgresql.org>
Subject: Re: SQL-standard function bodies and creating SECURITY DEFINER routines securely
Sent: Wednesday, September 28, 2022 8:07 PM
To: Erki Eessaar <erki.eessaar@taltech.ee>
Cc: pgsql-docs@lists.postgresql.org <pgsql-docs@lists.postgresql.org>
Subject: Re: SQL-standard function bodies and creating SECURITY DEFINER routines securely
On Tue, Aug 16, 2022 at 03:32:36PM -0400, Bruce Momjian wrote:
> On Sat, Dec 25, 2021 at 02:36:27PM +0000, Erki Eessaar wrote:
> >
> > Hello
> >
> > PostgreSQL 14 added the feature: "Allow SQL-language functions and procedures
> > to use SQL-standard function bodies."
> >
> > If I understand correctly, then in this case the system will track
> > dependencies between tables and routines that use the tables. Thus, the
> > SECURITY DEFINER routines that use the new approach do not require the
> > following mitigation, i.e., SET search_path= is not needed. The following part
> > of documentation does not mention this.
> >
> > https://www.postgresql.org/docs/current/sql-createfunction.html#
> > SQL-CREATEFUNCTION-SECURITY
> >
> > [elephant] PostgreSQL: Documentation: 14: CREATE FUNCTION
> > Overloading. PostgreSQL allows function overloading; that is, the
> > same name can be used for several different functions so long as
> > they have distinct input argument types.Whether or not you use it,
> > this capability entails security precautions when calling functions
> > in databases where some users mistrust other users; see Section
> > 10.3.. Two functions are considered the same if they have the same
> > ...
> > www.postgresql.org
>
> I have written the attached patch to mention this issue about sql_body
> functions.
The doc patch was reverted based on feedback in this email thread:
https://www.postgresql.org/message-id/flat/AM9PR01MB8268BF5E74E119828251FD34FE409%40AM9PR01MB8268.eurprd01.prod.exchangelabs.com
If you think we should add new wording, please suggest it, thanks.
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
Indecision is a decision. Inaction is an action. Mark Batterson
> On Sat, Dec 25, 2021 at 02:36:27PM +0000, Erki Eessaar wrote:
> >
> > Hello
> >
> > PostgreSQL 14 added the feature: "Allow SQL-language functions and procedures
> > to use SQL-standard function bodies."
> >
> > If I understand correctly, then in this case the system will track
> > dependencies between tables and routines that use the tables. Thus, the
> > SECURITY DEFINER routines that use the new approach do not require the
> > following mitigation, i.e., SET search_path= is not needed. The following part
> > of documentation does not mention this.
> >
> > https://www.postgresql.org/docs/current/sql-createfunction.html#
> > SQL-CREATEFUNCTION-SECURITY
> >
> > [elephant] PostgreSQL: Documentation: 14: CREATE FUNCTION
> > Overloading. PostgreSQL allows function overloading; that is, the
> > same name can be used for several different functions so long as
> > they have distinct input argument types.Whether or not you use it,
> > this capability entails security precautions when calling functions
> > in databases where some users mistrust other users; see Section
> > 10.3.. Two functions are considered the same if they have the same
> > ...
> > www.postgresql.org
>
> I have written the attached patch to mention this issue about sql_body
> functions.
The doc patch was reverted based on feedback in this email thread:
https://www.postgresql.org/message-id/flat/AM9PR01MB8268BF5E74E119828251FD34FE409%40AM9PR01MB8268.eurprd01.prod.exchangelabs.com
If you think we should add new wording, please suggest it, thanks.
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
Indecision is a decision. Inaction is an action. Mark Batterson
pgsql-docs by date: