> On Apr 19, 2021, at 9:22 PM, Michael Paquier <mich...@paquier.xyz> wrote: > > On Mon, Apr 19, 2021 at 08:39:06PM -0700, Mark Dilger wrote: >> This is a classic privilege escalation attack. Bob has one >> privilege, and uses it to get another. > > Bob is a superuser, so it has all the privileges of the world for this > instance. In what is that different from BASE_BACKUP or just COPY > FROM PROGRAM? I think you are conflating the concept of an operating system adminstrator with the concept of the database superuser/owner. If the operating system user that postgres is running as cannot execute any binaries, then "copy from program" is not a way for a database admistrator to escape the jail. If Bob does not have ssh access to the system, he cannot run pg_basebackup. > I am not following your argument here. The argument is that the operating system user that postgres is running as, perhaps user "postgres", can read the files in the $PGDATA directory, but Bob can only see the MVCC view of the data, not the raw data. Installing contrib/amcheck allows Bob to get a peak behind the curtain. — Mark Dilger EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
- Re: pg_amcheck option to install extension Mark Dilger
- Re: pg_amcheck option to install extension Andrew Dunstan
- Re: pg_amcheck option to install extension Robert Haas
- Re: pg_amcheck option to install extension Magnus Hagander
- Re: pg_amcheck option to install extension Andrew Dunstan
- Re: pg_amcheck option to install extension Michael Paquier
- Re: pg_amcheck option to install extension Mark Dilger
- Re: pg_amcheck option to install extension Michael Paquier
- Re: pg_amcheck option to install extension Mark Dilger
- Re: pg_amcheck option to install extension Michael Paquier
- Re: pg_amcheck option to install extension Mark Dilger
- Re: pg_amcheck option to install extension Michael Paquier
- Re: pg_amcheck option to install extension Robert Haas
- Re: pg_amcheck option to install extension Mark Dilger
- Privilege boundary between sysadmin and database supe... Mark Dilger
- Re: Privilege boundary between sysadmin and database ... Tom Lane
- Re: Privilege boundary between sysadmin and database ... Mark Dilger
- Re: Privilege boundary between sysadmin and database ... Stephen Frost
- Re: pg_amcheck option to install extension Alvaro Herrera
- Re: pg_amcheck option to install extension Tom Lane
- Re: pg_amcheck option to install extension Andrew Dunstan