On 03/12/2014 11:40 AM, Tom Lane wrote: > Andrew Dunstan <and...@dunslane.net> writes: >> On 03/12/2014 02:09 PM, Josh Berkus wrote: >>> Well, if you really want my "I want a pony" list: >>> >>> Local superusers (maybe this concept needs another name) would be able >>> to do the following things in a *single* database: >>> >>> 1 change permissions for other users on that database and its objects >>> 2 load extensions from a predefined .so directory / list >>> 3 create/modify untrusted language functions >>> 4 create per-database users and change their settings >>> 5 change database settings (SET stuff) >>> 6 NOT change their own user settings >>> 7 NOT change any global users >>> 8 NOT run SET PERSISTENT or other commands with global effect > >> Item 3 gives away the store. > > Indeed. If you can do (3), you can break out of any of the other > constraints. I suspect even (1) and/or (5) would be enough to mount > trojan-horse attacks against real superusers who visit your database.
... nobody reads my whole post, except Stephen. :-( -- Josh Berkus PostgreSQL Experts Inc. http://pgexperts.com -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
