Re: pg18: Virtual generated columns are not (yet) safe when superuser selects from them
| От | Feike Steenbergen |
|---|---|
| Тема | Re: pg18: Virtual generated columns are not (yet) safe when superuser selects from them |
| Дата | |
| Msg-id | CAK_s-G2060Z1VZUkfspyrCHbmfp+dtUevQuDwt2G-zFxXp5pCQ@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: pg18: Virtual generated columns are not (yet) safe when superuser selects from them (jian he <jian.universality@gmail.com>) |
| Список | pgsql-hackers |
On Mon, 26 May 2025 at 16:17, jian he <jian.universality@gmail.com> wrote:
> calling exploit_generated.exploit by normal user or superuser the
> effects are different,
> that by definition is not IMMUTABLE.
Yeah, i know this is *wrong* usage of IMMUTABLE, the point is that a rogue
regular user *can* use this pattern to become superuser.
> I think I understand what you mean.
> but still that is not related to the generated column.
It is, as before this feature, it was safe to, as a superuser:
SELECT * FROM untrusted_table
However, as of now, in pg18 this may lead to any code defined by a
regular user to run in the context of a superuser.
I'm aware that this already exists (pg17) for:
- superuser selecting from a user defined view
- superuser executing a user defined function
- superuser inserting into a user defined table
However, this is *new* behavior, increasing the possibility of exploits.
Certain db clients (I checked DBeaver and pgAdmin4) allow a user to
peek into the table details using their GUI. When connected as a superuser,
that would trigger this exploit.
As a sidenote: It may be useful for the pgAdmin4/DBeaver and other clients
to somehow block this behavior when connected as a superuser anyway?
> calling exploit_generated.exploit by normal user or superuser the
> effects are different,
> that by definition is not IMMUTABLE.
Yeah, i know this is *wrong* usage of IMMUTABLE, the point is that a rogue
regular user *can* use this pattern to become superuser.
> I think I understand what you mean.
> but still that is not related to the generated column.
It is, as before this feature, it was safe to, as a superuser:
SELECT * FROM untrusted_table
However, as of now, in pg18 this may lead to any code defined by a
regular user to run in the context of a superuser.
I'm aware that this already exists (pg17) for:
- superuser selecting from a user defined view
- superuser executing a user defined function
- superuser inserting into a user defined table
However, this is *new* behavior, increasing the possibility of exploits.
Certain db clients (I checked DBeaver and pgAdmin4) allow a user to
peek into the table details using their GUI. When connected as a superuser,
that would trigger this exploit.
As a sidenote: It may be useful for the pgAdmin4/DBeaver and other clients
to somehow block this behavior when connected as a superuser anyway?
В списке pgsql-hackers по дате отправления: