Changes between Initial Version and Version 1 of Ticket #5165, comment 2


Ignore:
Timestamp:
Jun 8, 2022, 10:53:29 AM (2 years ago)
Author:
robe

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #5165, comment 2

    initial v1  
    77The danger for ALTER EXTENSION here is if a regular untrusted user knows a function exists in postgis in a newer version not yet installed.  They go create a function with that signature with the future expectation that postgis will be upgraded.  Then when ALTER EXTENSION UPDATE is done, our function would now make a function they own be part of postgis, and they could then change that function putting malicious things in there.  If a super user then runs this coopted function, they could accidentally elevate the privileges of said user (cause it would be running under super user rights).
    88
    9 In practice people can easily avoid this by preventing untrusted users from creating things in a schema where postgis is installed.  We could also force ownership of all postgis packaged functions at end to be owned by the person running create extension.  I think the force is not a good idea because I suspect DbaaS are looking for that kind of stuff and would treat it as a threat and bale out.  It probably would be seen as such too by many vulnerability scanners.  So our attempt to mitigate such a thing would look like we're trying cause such a thing to happen.
     9In practice people can easily avoid this by preventing untrusted users from creating things in a schema where postgis is installed.  We could also force ownership of all postgis packaged functions at end to be owned by the person running ALTER EXTENSION.  I think the force is not a good idea because I suspect DbaaS are looking for that kind of stuff and would treat it as a threat and bale out.  It probably would be seen as such too by many vulnerability scanners.  So our attempt to mitigate such a thing would look like we're trying cause such a thing to happen.