Re: Is this a security oversight?
| От | Ben Tilly |
|---|---|
| Тема | Re: Is this a security oversight? |
| Дата | |
| Msg-id | CANoac9Xh-Z9Sv3kF2fUm5c3wfGCmB2gZHDphr5ABzV++zPUGOw@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: Is this a security oversight? (Tom Lane <tgl@sss.pgh.pa.us>) |
| Ответы |
Re: Is this a security oversight?
|
| Список | pgsql-sql |
Bizarre, I thought I had tested that by dropping superuser and trying it. But I must not have.
In that case please modify this to a request to allow casts to be created by a superuser without having to change the ownership of the objects involved.
On Tue, Aug 10, 2021 at 11:32 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
Ben Tilly <btilly@gmail.com> writes:
> As a security rule, you cannot create a cast without owning one of the
> types.
Check.
> The following code successfully creates it, not as postgres and not as a
> superuser.
Really? When I try that as an ordinary user, I get
ERROR: must be owner of type boolean
CONTEXT: SQL statement "ALTER TYPE bool OWNER TO current_user"
PL/pgSQL function inline_code_block line 12 at SQL statement
If there is a way where that actually does work without superuser
privileges, please send the details to security@postgresql.org.
regards, tom lane
В списке pgsql-sql по дате отправления: