Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions

Hi John,

On Tue, Jun 18, 2024 at 2:35 AM John H <johnhyvr@gmail.com> wrote:
>
> Hi Ashutosh,
>
> Thinking about this more, could you clarify the problem/issue at hand?
> I think it's still not clear to me.
> Yes, CREATE EXTENSION can create functions that lead to unexpected
> privilege escalation, regardless
>  if they are SECURITY DEFINER or SECURITY INVOKER (if the function is
> inadvertently executed by superuser).
> But that's also true for a general CREATE FUNCTION call outside of extensions.
>

This specifically applies to extension functions, not standalone
functions created independently. The difference is that installing
extensions typically requires superuser privileges, which is not the
case with standalone functions.

--
With Regards,
Ashutosh Sharma.