Re: pg18: Virtual generated columns are not (yet) safe when superuser selects from them - Mailing list pgsql-hackers
| From | Robert Haas |
|---|---|
| Subject | Re: pg18: Virtual generated columns are not (yet) safe when superuser selects from them |
| Date | |
| Msg-id | CA+Tgmob_TAd0V=B+JxdT7M_ZA+QE+PGYzbY0NCyV2mcQQPuWDA@mail.gmail.com Whole thread Raw |
| In response to | pg18: Virtual generated columns are not (yet) safe when superuser selects from them (Feike Steenbergen <feikesteenbergen@gmail.com>) |
| Responses |
Re: pg18: Virtual generated columns are not (yet) safe when superuser selects from them
Re: pg18: Virtual generated columns are not (yet) safe when superuser selects from them Re: pg18: Virtual generated columns are not (yet) safe when superuser selects from them |
| List | pgsql-hackers |
On Mon, May 26, 2025 at 10:52 AM Feike Steenbergen <feikesteenbergen@gmail.com> wrote: > On Mon, 26 May 2025 at 16:17, jian he <jian.universality@gmail.com> wrote: > > calling exploit_generated.exploit by normal user or superuser the > > effects are different, > > that by definition is not IMMUTABLE. > > Yeah, i know this is *wrong* usage of IMMUTABLE, the point is that a rogue > regular user *can* use this pattern to become superuser. Before this discussion goes further in the wrong direction, I'd like to say thanks to Feike for catching this issue before we ship the feature. I'm not quite sure why some people are arguing with the conclusion that there is a problem here: not only is there an exploit script included in the original message, but there's also an included, quoted discussion with the security team where Noah agrees that a problem exists and that something will need to be done about it. David is correct to point out that there are already a lot of ways that a superuser can give away their privileges accidentally. In particular, as Feike says, if a superuser performs DML on a non-superuser owned table, it can fire a SECURITY INVOKER trigger which, because the superuser is the invoker, will run as superuser and can do anything, including confer superuser privileges on the author of the trigger code. That is a pretty deplorable situation and we should really, really do something about it, but we technically don't classify it as a security vulnerability: we say that's user error on the part of the superuser. But so far - apart from this feature - we have managed to avoid making it categorically unsafe for the superuser to run "SELECT * FROM table", which is a pretty good thing, because if the superuser couldn't do at least that much, that would also imply, for example, that there's no way to run a pg_dump without letting any user on the system obtain superuser privileges. Point being: this feature will need to be fixed in some way that avoids further expanding the set of things that a superuser must not ever do for fear of giving away their privileges accidentally, or else it will need to be reverted. What we should be discussing here is whether to revert it and, if not, how to fix it. In making that decision, it might be a good idea to consider what else is potentially problematic about this feature. I know of one other issue, related to planning speed: http://postgr.es/m/1514756.1747925490@sss.pgh.pa.us In that email, Tom suggests that the appropriate fix might be to move expansion to the rewriter, but I think that is probably not the right solution, because 1e4351af329f2949c679a215f63c51d663ecd715 moved it from the rewriter to the planner to fix various problems discussed on the thread. But we should decide whether the resulting situation is acceptable to ship. To be clear, I like this feature in concept and I don't want it to crash and burn. But I even more don't want to ship something and then have a bunch of problems later that we can't really do anything about. -- Robert Haas EDB: http://www.enterprisedb.com
pgsql-hackers by date: